diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3d6f1daf8..e8c87d6db 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -22,7 +22,7 @@ # NGINX Agent content/nginx/nms/agent/* @nginx/nginx-agent -# NGINX App Protect DoS +# F5 DoS for NGINX content/nap-dos/* @nginx/dos-docs-approvers # NGINX App Protect WAF diff --git a/_banners/waf-oss-usage.md b/_banners/waf-oss-usage.md new file mode 100644 index 000000000..abec9f383 --- /dev/null +++ b/_banners/waf-oss-usage.md @@ -0,0 +1,7 @@ +{{< banner "warning" "NGINX Open Source availability" >}} + +The guidance in this section is **only** applicable to F5 WAF for NGINX v5. + +For NGINX v4, you must use an [NGINX Plus]({{< ref "/waf/install/plus" >}}) deployment. + +{{< /banner >}} \ No newline at end of file diff --git a/cloudcannon.config.yml b/cloudcannon.config.yml index 8aa064275..e6b2aa94a 100644 --- a/cloudcannon.config.yml +++ b/cloudcannon.config.yml @@ -88,8 +88,8 @@ collections_config: nap_dos: path: content/nap-dos output: true - name: NGINX App Protect DoS - description: Documentation for NGINX App Protect DoS + name: F5 DoS for NGINX + description: Documentation for F5 DoS for NGINX parse_branch_index: false icon: notes preview: diff --git a/content/includes/nic/configuration/security.md b/content/includes/nic/configuration/security.md index 4ade6e0cf..c7aae8062 100644 --- a/content/includes/nic/configuration/security.md +++ b/content/includes/nic/configuration/security.md @@ -34,7 +34,7 @@ By default, the ServiceAccount has access to all Secret resources in the cluster ### Configure root filesystem as read-only {{< call-out "caution" >}} - This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf/v5/). It is not compatible with [NGINX App Protect WAFv4](https://docs.nginx.com/nginx-app-protect-waf/v4/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). + This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf/v5/). It is not compatible with [NGINX App Protect WAFv4](https://docs.nginx.com/nginx-app-protect-waf/v4/) or [F5 DoS for NGINX](https://docs.nginx.com/nginx-app-protect-dos/). {{< /call-out >}} NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when NGINX App Protect WAFv5 is in use. This is so that the attack surface is further reduced by limiting changes to binaries and libraries. diff --git a/content/includes/nic/rbac/set-up-rbac.md b/content/includes/nic/rbac/set-up-rbac.md index eaf9a6c6f..03a7727f7 100644 --- a/content/includes/nic/rbac/set-up-rbac.md +++ b/content/includes/nic/rbac/set-up-rbac.md @@ -18,7 +18,7 @@ nd-docs: DOCS-1468
-If you're planning to use NGINX App Protect or NGINX App Protect DoS, additional roles and bindings are needed. +If you're planning to use NGINX App Protect or F5 DoS for NGINX, additional roles and bindings are needed. 1. (NGINX App Protect only) Create the *App Protect* role and binding: @@ -26,7 +26,7 @@ If you're planning to use NGINX App Protect or NGINX App Protect DoS, additional kubectl apply -f deployments/rbac/ap-rbac.yaml ``` -2. (NGINX App Protect DoS only) Create the *App Protect DoS* role and binding: +2. (F5 DoS for NGINX only) Create the *App Protect DoS* role and binding: ```shell kubectl apply -f deployments/rbac/apdos-rbac.yaml diff --git a/content/includes/waf/default-conf-localhost.md b/content/includes/waf/default-conf-localhost.md new file mode 100644 index 000000000..ca94c6513 --- /dev/null +++ b/content/includes/waf/default-conf-localhost.md @@ -0,0 +1,39 @@ +--- +nd-docs: +--- + +```nginx +server { + listen 80; + server_name domain.com; + + proxy_http_version 1.1; + + location / { + + # NGINX App Protect WAF + app_protect_enable on; + + client_max_body_size 0; + default_type text/html; + proxy_pass http://127.0.0.1:8080/; + } +} + +server { + listen 8080; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } +} +``` diff --git a/content/includes/waf/nginx-conf-localhost.md b/content/includes/waf/nginx-conf-localhost.md new file mode 100644 index 000000000..587ff5b01 --- /dev/null +++ b/content/includes/waf/nginx-conf-localhost.md @@ -0,0 +1,41 @@ +--- +nd-docs: +--- + +```nginx +user nginx; +worker_processes auto; + +# NGINX App Protect WAF +load_module modules/ngx_http_app_protect_module.so; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + # NGINX App Protect WAF + app_protect_enforcer_address 127.0.0.1:50000; + + include /etc/nginx/conf.d/*.conf; +} +``` diff --git a/content/includes/waf/supported-policy-features.md b/content/includes/waf/supported-policy-features.md new file mode 100644 index 000000000..5246970b6 --- /dev/null +++ b/content/includes/waf/supported-policy-features.md @@ -0,0 +1,3 @@ +| Feature | Description | +| ----------------- | ----------- | +| [Attack signatures]({{< ref "/waf/policies/configuration.md#attack-signatures" >}}) | The default policy covers the OWASP top 10 attack patterns. Specific signature sets can be added or disabled. | \ No newline at end of file diff --git a/content/nap-dos/_index.md b/content/nap-dos/_index.md index e7d8430f2..264ffc8af 100644 --- a/content/nap-dos/_index.md +++ b/content/nap-dos/_index.md @@ -1,6 +1,6 @@ --- # The title is the product name -title: F5 NGINX App Protect DoS +title: F5 DoS for NGINX # The URL is the base of the deployed path, becoming "docs.nginx.com//" url: /nginx-app-protect-dos/ # The cascade directive applies its nested parameters down the page tree until overwritten @@ -21,7 +21,7 @@ nd-product: NAP-DOS ## About Achieve comprehensive protection against DoS and DDoS attacks for your apps and APIs with a multi-layered, adaptive, automated mitigation strategy for DevOps environments. -Running natively on NGINX Plus and NGINX Ingress Controller, NGINX App Protect DoS is platform-agnostic and supports deployment options ranging from edge load balancers to individual pods in Kubernetes clusters. +Running natively on NGINX Plus and NGINX Ingress Controller, F5 DoS for NGINX is platform-agnostic and supports deployment options ranging from edge load balancers to individual pods in Kubernetes clusters. ## Featured content [//]: # "You can add a maximum of three cards: any extra will not display." @@ -31,15 +31,15 @@ Running natively on NGINX Plus and NGINX Ingress Controller, NGINX App Protect D {{}} {{}} {{}} - Read how to install and upgrade NGINX App Protect DoS + Read how to install and upgrade F5 DoS for NGINX {{}} {{}} - Learn how to debug NGINX App Protect DoS + Learn how to debug F5 DoS for NGINX {{}} {{}} - Review changelogs for NGINX App Protect DoS + Review changelogs for F5 DoS for NGINX {{}} {{}} {{}} \ No newline at end of file diff --git a/content/nap-dos/deployment-guide/_index.md b/content/nap-dos/deployment-guide/_index.md index 14aebe96b..8a504d018 100644 --- a/content/nap-dos/deployment-guide/_index.md +++ b/content/nap-dos/deployment-guide/_index.md @@ -1,5 +1,5 @@ --- -description: Learn how to deploy NGINX App Protect DoS. +description: Learn how to deploy F5 DoS for NGINX. title: Deployment Guide weight: 100 url: /nginx-app-protect-dos/deployment-guide/ diff --git a/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md b/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md index a3eae476c..859cb939d 100644 --- a/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md +++ b/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md @@ -17,28 +17,28 @@ The AMIs contain combination of the following components: - Latest version of [F5 NGINX Plus](https://www.f5.com/products/nginx/nginx-plus), optimized for use on Amazon EC2 -- Latest version of [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/), optimized for use on Amazon EC2 +- Latest version of [F5 DoS for NGINX](https://docs.nginx.com/nginx-app-protect-dos/), optimized for use on Amazon EC2 - Latest version of [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/), optimized for use on Amazon EC2 - Pre-packaged software for building highly available (HA) NGINX Plus configurations ## Install NGINX Plus NGINX App Protect WAF + DoS -To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and NGINX App Protect DoS on AWS: +To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and F5 DoS for NGINX on AWS: 1. Follow the instructions in [Getting Started with Amazon EC2 Linux Instances](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html) to sign up on AWS and get more information about EC2 itself. 2. Proceed to the product page for the appropriate AMI at the AWS Marketplace, and launch the AMI. - - [NGINX Plus with NGINX App Protect DoS – RHEL 7 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-bjdboufufnb7g?sr=0-4&ref_=beagle&applicationId=AWSMPContessa) + - [NGINX Plus with F5 DoS for NGINX – RHEL 7 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-bjdboufufnb7g?sr=0-4&ref_=beagle&applicationId=AWSMPContessa) - - [NGINX Plus with NGINX App Protect DoS – RHEL8 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-e6bifer7o6uzm?sr=0-13&ref_=beagle&applicationId=AWSMPContessa) + - [NGINX Plus with F5 DoS for NGINX – RHEL8 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-e6bifer7o6uzm?sr=0-13&ref_=beagle&applicationId=AWSMPContessa) - - [NGINX Plus with NGINX App Protect DoS – CentOS 7 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-deeny2oe7izti?sr=0-12&ref_=beagle&applicationId=AWSMPContessa) + - [NGINX Plus with F5 DoS for NGINX – CentOS 7 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-deeny2oe7izti?sr=0-12&ref_=beagle&applicationId=AWSMPContessa) - - [NGINX Plus with NGINX App Protect DoS – Debian 11 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-56oveh2rsxsbq?sr=0-2&ref_=beagle&applicationId=AWSMPContessa) + - [NGINX Plus with F5 DoS for NGINX – Debian 11 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-56oveh2rsxsbq?sr=0-2&ref_=beagle&applicationId=AWSMPContessa) - - [NGINX Plus with NGINX App Protect DoS – Ubuntu 20.04 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-gsoln2vnsgpr4?sr=0-5&ref_=beagle&applicationId=AWSMPContessa) + - [NGINX Plus with F5 DoS for NGINX – Ubuntu 20.04 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-gsoln2vnsgpr4?sr=0-5&ref_=beagle&applicationId=AWSMPContessa) - - [NGINX Plus with NGINX App Protect DoS – Ubuntu 22.04 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-l6f2q2ykrjufy?sr=0-13&ref_=beagle&applicationId=AWSMPContessa) + - [NGINX Plus with F5 DoS for NGINX – Ubuntu 22.04 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-l6f2q2ykrjufy?sr=0-13&ref_=beagle&applicationId=AWSMPContessa) - [NGINX Plus with NGINX App Protect WAF + DoS – RHEL 7 Linux AMI HVM](https://aws.amazon.com/marketplace/pp/prodview-jedbygo6xbvto?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) @@ -62,7 +62,7 @@ To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and NGIN See [NGINX Plus on the AWS Cloud](https://www.nginx.com/resources/datasheets/nginx-quick-start-guide-for-aws/) deployment guide for details. -6. Verify latest NGINX PLUS / NGINX App Protect DoS / NGINX App Protect WAF packages are installed on EC2 after its first start: +6. Verify latest NGINX PLUS / F5 DoS for NGINX / NGINX App Protect WAF packages are installed on EC2 after its first start: Verify NGINX App Protect WAF latest release from is @@ -88,7 +88,7 @@ To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and NGIN nginx -v ``` - In case NGINX PLUS / NGINX App Protect DoS / NGINX App Protect WAF packages are not latest release then upgrade the following with these commands: + In case NGINX PLUS / F5 DoS for NGINX / NGINX App Protect WAF packages are not latest release then upgrade the following with these commands: For App Protect DoS solution based on RedHat / CentOS @@ -151,17 +151,17 @@ To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and NGIN -8. If AMI includes [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/) +8. If AMI includes [F5 DoS for NGINX](https://docs.nginx.com/nginx-app-protect-dos/) - To enable NGINX App Protect DoS use the following steps: + To enable F5 DoS for NGINX use the following steps: - a. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: + a. Load the F5 DoS for NGINX module on the main context in the `nginx.conf` file: ```shell load_module modules/ngx_http_app_protect_dos_module.so; ``` - b. Enable NGINX App Protect DoS on an `http/server/location` context in the `nginx.conf` file: + b. Enable F5 DoS for NGINX on an `http/server/location` context in the `nginx.conf` file: ```shell app_protect_dos_enable on; @@ -182,7 +182,7 @@ To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and NGIN sudo systemctl restart nginx ``` - For more configuration information follow [NGINX App Protect DoS Directives and Policy](https://docs.nginx.com/nginx-app-protect-dos/directives-and-policy/learn-about-directives-and-policy/). + For more configuration information follow [F5 DoS for NGINX Directives and Policy](https://docs.nginx.com/nginx-app-protect-dos/directives-and-policy/learn-about-directives-and-policy/). @@ -190,7 +190,7 @@ To quickly set up an environment with NGINX Plus, NGINX App Protect WAF and NGIN If you encounter any problems with NGINX Plus configuration, documentation is available at [nginx.org](https://nginx.org/en/docs/) and in the [NGINX Plus Admin Guide](https://docs.nginx.com/nginx/admin-guide/installing-nginx/). -If you encounter any problems with NGINX App Protect DoS configuration, documentation is available at the [NGINX App Protect DoS Troubleshooting Guide](https://docs.nginx.com/nginx-app-protect-dos/troubleshooting-guide/how-to-troubleshoot/). +If you encounter any problems with F5 DoS for NGINX configuration, documentation is available at the [F5 DoS for NGINX Troubleshooting Guide](https://docs.nginx.com/nginx-app-protect-dos/troubleshooting-guide/how-to-troubleshoot/). If you encounter any problems with NGINX App Protect WAF configuration, documentation is available at the [NGINX App Protect WAF Troubleshooting Guide](https://docs.nginx.com/nginx-app-protect-waf/v4/troubleshooting-guide/troubleshooting/). diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index b4eeb180b..ed0c2e054 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -1,7 +1,7 @@ --- -description: Learn about F5 NGINX App Protect DoS Deployment. +description: Learn about F5 F5 DoS for NGINX Deployment. nd-docs: DOCS-666 -title: NGINX App Protect DoS Deployment +title: F5 DoS for NGINX Deployment toc: true weight: 100 type: @@ -10,16 +10,16 @@ type: ## Overview -F5 NGINX App Protect DoS provides behavioral protection against DoS for your web applications.

-This guide explains how to deploy NGINX App Protect DoS as well as upgrade App Protect DoS. +F5 F5 DoS for NGINX provides behavioral protection against DoS for your web applications.

+This guide explains how to deploy F5 DoS for NGINX as well as upgrade App Protect DoS. ## Prerequisites -NGINX App Protect DoS is available to the customers as a downloadable dynamic module at an additional cost. To purchase or add NGINX App Protect DoS to an existing NGINX Plus subscription, contact the NGINX sales team. +F5 DoS for NGINX is available to the customers as a downloadable dynamic module at an additional cost. To purchase or add F5 DoS for NGINX to an existing NGINX Plus subscription, contact the NGINX sales team. -NGINX Plus Release 24 and later supports NGINX App Protect DoS. +NGINX Plus Release 24 and later supports F5 DoS for NGINX. -NGINX App Protect DoS supports the following operating systems: +F5 DoS for NGINX supports the following operating systems: - [RHEL 8.1+ / Rocky Linux 8](#rhel-8--rocky-linux-8-installation) - [RHEL 9.0+ / Rocky Linux 9](#rhel-9--rocky-linux-9-installation) @@ -33,7 +33,7 @@ NGINX App Protect DoS supports the following operating systems: - [AmazonLinux 2023](#amazon-linux-2023-installation) -The NGINX App Protect DoS package has the following dependencies: +The F5 DoS for NGINX package has the following dependencies: 1. **nginx-plus-module-appprotectdos** - NGINX Plus dynamic module for App Protect DoS 2. **libcurl** - Software library for HTTP access @@ -42,7 +42,7 @@ The NGINX App Protect DoS package has the following dependencies: 5. **openssl** - Toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocol 6. **libelf** - Software library for ELF access -See the NGINX Plus full list of prerequisites for more details. NGINX App Protect DoS can be installed as a module to an existing NGINX Plus installation or as a complete NGINX Plus with App Protect DoS installation in a clean environment or to a system with NGINX App Protect WAF. +See the NGINX Plus full list of prerequisites for more details. F5 DoS for NGINX can be installed as a module to an existing NGINX Plus installation or as a complete NGINX Plus with App Protect DoS installation in a clean environment or to a system with NGINX App Protect WAF. {{< call-out "note" >}} @@ -55,7 +55,7 @@ See the NGINX Plus full list of prerequisites for more details. NGINX App Protec When deploying App Protect DoS on NGINX Plus take the following precautions to secure the platform. This avoids the risk of causing a Denial of Service condition or compromising the platform security. -- Restrict permissions to the files on the NGINX App Protect DoS platform to user **nginx** and group **nginx**, especially for the sensitive areas containing the configuration. +- Restrict permissions to the files on the F5 DoS for NGINX platform to user **nginx** and group **nginx**, especially for the sensitive areas containing the configuration. - Remove unnecessary remote access services on the platform. - Configure a Syslog destination on the same machine as App Protect DoS and proxy to an external destination. This avoids eavesdropping and [man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks on the Syslog channel. @@ -91,7 +91,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo yum install ca-certificates epel-release wget ``` -6. Add NGINX Plus and NGINX App Protect DoS repository: +6. Add NGINX Plus and F5 DoS for NGINX repository: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo @@ -132,19 +132,19 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo nginx -v ``` -10. Check the NGINX App Protect DoS binary version to ensure that you have the right version installed correctly: +10. Check the F5 DoS for NGINX binary version to ensure that you have the right version installed correctly: ```shell sudo admd -v ``` -11. Load the NGINX App Protect DoS module on the main context in the `nginx.conf`: +11. Load the F5 DoS for NGINX module on the main context in the `nginx.conf`: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -12. Enable NGINX App Protect DoS on an `http/server/location` context in the `nginx.conf` file: +12. Enable F5 DoS for NGINX on an `http/server/location` context in the `nginx.conf` file: ```nginx app_protect_dos_enable on; @@ -152,7 +152,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s app_protect_dos_monitor uri=serv:80/; # Assuming server_name "serv" on port 80, with the root path "/" ``` -13. Configure the SELinux to allow NGINX App Protect DoS: +13. Configure the SELinux to allow F5 DoS for NGINX: a. Using the vi editor, create a file: @@ -271,7 +271,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 ``` -7. Add NGINX Plus and NGINX App Protect DoS repository: +7. Add NGINX Plus and F5 DoS for NGINX repository: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo @@ -318,13 +318,13 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo admd -v ``` -12. Load the NGINX App Protect DoS module on the main context in the `nginx.conf`: +12. Load the F5 DoS for NGINX module on the main context in the `nginx.conf`: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -13. Enable NGINX App Protect DoS on an `http/server/location` context in the `nginx.conf` file: +13. Enable F5 DoS for NGINX on an `http/server/location` context in the `nginx.conf` file: ```nginx app_protect_dos_enable on; @@ -332,7 +332,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s app_protect_dos_monitor uri=serv:80/; # Assuming server_name "serv" on port 80, with the root path "/" ``` -14. Configure the SELinux to allow NGINX App Protect DoS: +14. Configure the SELinux to allow F5 DoS for NGINX: a. Using the vi editor, create a file: @@ -411,7 +411,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ```shell sudo dnf install ca-certificates wget -6. Enable Yum repositories to pull NGINX App Protect DoS dependencies: +6. Enable Yum repositories to pull F5 DoS for NGINX dependencies: If you have a RHEL subscription: @@ -421,7 +421,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm ``` -7. Add NGINX Plus and NGINX App Protect DoS repository: +7. Add NGINX Plus and F5 DoS for NGINX repository: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo @@ -475,13 +475,13 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo admd -v ``` -12. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: +12. Load the F5 DoS for NGINX module on the main context in the `nginx.conf` file: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -13. Enable NGINX App Protect DoS in an `http/server/location` context in the `nginx.conf` file: +13. Enable F5 DoS for NGINX in an `http/server/location` context in the `nginx.conf` file: ```nginx app_protect_dos_enable on; @@ -619,7 +619,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo dnf install ca-certificates wget ``` -6. Enable the yum repositories to pull NGINX App Protect DoS dependencies: +6. Enable the yum repositories to pull F5 DoS for NGINX dependencies: If you have a RHEL subscription: @@ -629,7 +629,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm ``` -7. Add the NGINX Plus and NGINX App Protect DoS repositories: +7. Add the NGINX Plus and F5 DoS for NGINX repositories: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo @@ -687,13 +687,13 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo admd -v ``` -12. Load the NGINX App Protect DoS module on the main context in the `nginx.conf`: +12. Load the F5 DoS for NGINX module on the main context in the `nginx.conf`: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -13. Enable NGINX App Protect DoS on an `http/server/location` context in the `nginx.conf` file: +13. Enable F5 DoS for NGINX on an `http/server/location` context in the `nginx.conf` file: ```nginx app_protect_dos_enable on; @@ -851,7 +851,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null ``` -7. Add NGINX Plus and NGINX App Protect DoS repository: +7. Add NGINX Plus and F5 DoS for NGINX repository: For Debian: @@ -963,13 +963,13 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo admd -v ``` -13. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: +13. Load the F5 DoS for NGINX module on the main context in the `nginx.conf` file: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -14. Enable NGINX App Protect DoS on an `http/server/location` context in the `nginx.conf` via: +14. Enable F5 DoS for NGINX on an `http/server/location` context in the `nginx.conf` via: ```nginx app_protect_dos_enable on; @@ -1030,7 +1030,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories ``` -7. Add NGINX App Protect DoS repository to `/etc/apk/repositories` file: +7. Add F5 DoS for NGINX repository to `/etc/apk/repositories` file: ```shell printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories @@ -1043,7 +1043,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo apk del -r nginx ``` -9. Update the repository and install the most recent version of the NGINX Plus and NGINX App Protect DoS: +9. Update the repository and install the most recent version of the NGINX Plus and F5 DoS for NGINX: ```shell sudo apk update @@ -1096,13 +1096,13 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo admd -v ``` -13. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: +13. Load the F5 DoS for NGINX module on the main context in the `nginx.conf` file: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -14. Enable NGINX App Protect DoS on an `http/server/location` context in the `nginx.conf` via: +14. Enable F5 DoS for NGINX on an `http/server/location` context in the `nginx.conf` via: ```nginx app_protect_dos_enable on; @@ -1151,7 +1151,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ```shell sudo dnf install ca-certificates wget -6. Add NGINX Plus and NGINX App Protect DoS repository: +6. Add NGINX Plus and F5 DoS for NGINX repository: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo @@ -1209,13 +1209,13 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo admd -v ``` -11. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: +11. Load the F5 DoS for NGINX module on the main context in the `nginx.conf` file: ```nginx load_module modules/ngx_http_app_protect_dos_module.so; ``` -12. Enable NGINX App Protect DoS in an `http/server/location` context in the `nginx.conf` file: +12. Enable F5 DoS for NGINX in an `http/server/location` context in the `nginx.conf` file: ```nginx app_protect_dos_enable on; @@ -1272,7 +1272,7 @@ You need root permissions to execute the following steps. 3. Copy the files to the directory where the Dockerfile is located. -4. Add NGINX App Protect DoS to your `nginx.conf`. The configuration below is an example for an `http` and `grpc+tls` servers which has NGINX App Protect DoS enabled. Note that every NGINX App Protect DoS related directive starts with `app_protect_dos_`. +4. Add F5 DoS for NGINX to your `nginx.conf`. The configuration below is an example for an `http` and `grpc+tls` servers which has F5 DoS for NGINX enabled. Note that every F5 DoS for NGINX related directive starts with `app_protect_dos_`. `nginx.conf` @@ -1283,7 +1283,7 @@ You need root permissions to execute the following steps. worker_rlimit_nofile 65535; working_directory /tmp/cores; - load_module modules/ngx_http_app_protect_dos_module.so; # NGINX App Protect DoS module + load_module modules/ngx_http_app_protect_dos_module.so; # F5 DoS for NGINX module events { worker_connections 65535; @@ -1296,7 +1296,7 @@ You need root permissions to execute the following steps. 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; - app_protect_dos_security_log_enable on; # Enable NGINX App Protect DoS's security logger + app_protect_dos_security_log_enable on; # Enable F5 DoS for NGINX's security logger app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" /var/log/adm/logger.log; # Security logger outputs to a file # app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" syslog:server=1.2.3.4:5261; # Security logger outputs to a syslog destination @@ -1310,10 +1310,10 @@ You need root permissions to execute the following steps. access_log /var/log/nginx/access.log log_napd if=$loggable; # Access log with rate limiting and additional information # access_log syslog:server=1.1.1.1:5561 log_napd if=$loggable; - app_protect_dos_policy_file "/etc/app_protect_dos/BADOSDefaultPolicy.json"; # Policy configuration for NGINX App Protect DoS + app_protect_dos_policy_file "/etc/app_protect_dos/BADOSDefaultPolicy.json"; # Policy configuration for F5 DoS for NGINX location / { - app_protect_dos_enable on; # Enable NGINX App Protect DoS in this block + app_protect_dos_enable on; # Enable F5 DoS for NGINX in this block app_protect_dos_name "App80"; # PO name app_protect_dos_monitor uri=http://serv80/; # Health monitoring proxy_pass http://1.2.3.4:80; @@ -1381,7 +1381,7 @@ You need root permissions to execute the following steps. DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=./license.jwt -t app-protect-dos . ``` - The `--no-cache` option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus and NGINX App Protect DoS. If the Dockerfile was previously used to build an image without the `--no-cache` option, the new image uses versions from the previously built image from the Docker cache. + The `--no-cache` option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus and F5 DoS for NGINX. If the Dockerfile was previously used to build an image without the `--no-cache` option, the new image uses versions from the previously built image from the Docker cache. For RHEL8/9 with subctiption manager setup add build arguments: @@ -1468,11 +1468,11 @@ FROM alpine:3.19 # Download and add the NGINX signing keys: RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub -# Add NGINX Plus/NGINX App Protect Dos repository: +# Add NGINX Plus/F5 DoS for NGINX repository: RUN printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories -# Update the repository and install the most recent version of the NGINX App Protect Dos package (which includes NGINX Plus): +# Update the repository and install the most recent version of the F5 DoS for NGINX package (which includes NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1508,11 +1508,11 @@ FROM amazonlinux:2023 # Install prerequisite packages: RUN dnf -y install ca-certificates -# Add NGINX Plus/NGINX App Protect Dos repository: +# Add NGINX Plus/F5 DoS for NGINX repository: RUN curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo && \ curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo -# Install NGINX App Protect DoS: +# Install F5 DoS for NGINX: RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1554,7 +1554,7 @@ RUN mkdir -p /etc/ssl/nginx/ /etc/nginx/ && \ printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx -# Install Nginx App Protect Dos +# Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1592,7 +1592,7 @@ RUN apt-get update && \ printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx -# Install Nginx App Protect Dos +# Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1636,7 +1636,7 @@ RUN subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIV curl -o /etc/yum.repos.d/plus-8.repo https://cs.nginx.com/static/files/plus-8.repo && \ curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo -# Install Nginx App Protect Dos +# Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1679,7 +1679,7 @@ RUN curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus- dnf config-manager --set-enabled crb && \ dnf clean all -# Install NGINX App Protect DoS: +# Install F5 DoS for NGINX: RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1916,7 +1916,7 @@ RUN printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[ printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories -# Update the repository and install the most recent version of the NGINX App Protect DoS package (which includes NGINX Plus): +# Update the repository and install the most recent version of the F5 DoS for NGINX package (which includes NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -1997,7 +1997,7 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \ wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null -# Add NGINX Plus, NGINX App Protect and NGINX App Protect DoS repository: +# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository: RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list @@ -2005,7 +2005,7 @@ RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https: # Download the apt configuration to `/etc/apt/apt.conf.d`: RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx -# Install Nginx App Protect Dos +# Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -2040,7 +2040,7 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring && \ wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null -# Add NGINX Plus, NGINX App Protect and NGINX App Protect DoS repository: +# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository: RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list @@ -2048,7 +2048,7 @@ RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https: # Download the apt configuration to `/etc/apt/apt.conf.d`: RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx -# Install Nginx App Protect Dos +# Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ @@ -2072,33 +2072,33 @@ STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] ``` -## NGINX App Protect DoS Arbitrator +## F5 DoS for NGINX Arbitrator ### Overview -NGINX App Protect DoS arbitrator orchestrates all the running NGINX App Protect DoS instances to synchronize local/global attack start/stop. +F5 DoS for NGINX arbitrator orchestrates all the running F5 DoS for NGINX instances to synchronize local/global attack start/stop. -NGINX App Protect DoS arbitrator serves as a central coordinating component for managing multiple instances of App Protect DoS in a network. It is needed when there are more than one NGINX App Protect DoS instances. Its primary function is to ensure that all instances are aware of and share the same state for each protected object. Here's a clearer breakdown of how it works and why it's necessary: +F5 DoS for NGINX arbitrator serves as a central coordinating component for managing multiple instances of App Protect DoS in a network. It is needed when there are more than one F5 DoS for NGINX instances. Its primary function is to ensure that all instances are aware of and share the same state for each protected object. Here's a clearer breakdown of how it works and why it's necessary: -How NGINX App Protect DoS Arbitrator Works: +How F5 DoS for NGINX Arbitrator Works: - **Collecting State Periodically**: The arbitrator regularly collects the state information from all running instances of App Protect DoS. This collection occurs at set intervals, typically every 10 seconds. - **State Initialization for New Instances**: When a new App Protect DoS instance is created, it doesn't start with a blank or uninitialized state for a protected object. Instead, it retrieves the initial state for the protected object from the arbitrator. - **Updating State in Case of an Attack**: If an attack is detected by one of the App Protect DoS instances, that instance sends an attack notification to the arbitrator. The arbitrator then updates the state of the affected protected object to indicate that it is under attack. Importantly, this updated state is propagated to all other instances. -### Why NGINX App Protect DoS Arbitrator is Necessary +### Why F5 DoS for NGINX Arbitrator is Necessary -NGINX App Protect DoS Arbitrator is essential for several reasons: +F5 DoS for NGINX Arbitrator is essential for several reasons: - **Global State Management**: Without the arbitrator, each individual instance of App Protect DoS would manage its own isolated state for each protected object. This isolation could lead to inconsistencies. For example, if instance A declared an attack on a protected object named "PO-Example," instance B would remain unaware of this attack, potentially leaving the object vulnerable. - **Uniform Attack Detection**: With the arbitrator in place, when instance A detects an attack on "PO-Example" and reports it to the arbitrator, the state of "PO-Example" is immediately updated to indicate an attack. This means that all instances, including instance B, are aware of the attack and can take appropriate measures to mitigate it. -In summary, NGINX App Protect DoS Arbitrator acts as a central coordinator to maintain a consistent and up-to-date global state for protected objects across multiple instances of App Protect DoS. This coordination helps ensure that attacks are properly detected and mitigated, and that knowledge gained by one instance is efficiently shared with others, enhancing the overall security of the network. +In summary, F5 DoS for NGINX Arbitrator acts as a central coordinator to maintain a consistent and up-to-date global state for protected objects across multiple instances of App Protect DoS. This coordination helps ensure that attacks are properly detected and mitigated, and that knowledge gained by one instance is efficiently shared with others, enhancing the overall security of the network. -### NGINX App Protect DoS Arbitrator Deployment +### F5 DoS for NGINX Arbitrator Deployment -1. Pull the official NGINX App Protect DoS Arbitrator image with the command: +1. Pull the official F5 DoS for NGINX Arbitrator image with the command: ```shell docker pull docker-registry.nginx.com/nap-dos/app_protect_dos_arb:latest @@ -2112,22 +2112,22 @@ In summary, NGINX App Protect DoS Arbitrator acts as a central coordinator to ma 3. Verify that the `app-protect-dos-arb` container is up and running with the `docker ps` command. -4. DNS records are required for NGINX App Protect DoS Arbitrator to work properly and be accessible by NGINX App Protect DoS servers. Ensure that the `svc-appprotect-dos-arb` or configured Arbitrator FQDN (with `app_protect_dos_arb_fqdn` directive) has a valid DNS resolution. -This step is necessary only for VM/Docker deployments with arbitrator. When the arbitrator is in the same Kubernetes namespace as NGINX App Protect DoS, this step is not needed. +4. DNS records are required for F5 DoS for NGINX Arbitrator to work properly and be accessible by F5 DoS for NGINX servers. Ensure that the `svc-appprotect-dos-arb` or configured Arbitrator FQDN (with `app_protect_dos_arb_fqdn` directive) has a valid DNS resolution. +This step is necessary only for VM/Docker deployments with arbitrator. When the arbitrator is in the same Kubernetes namespace as F5 DoS for NGINX, this step is not needed. ### Multi-VM Deployment -The Arbitrator service is standalone. Once it is down, it can be seamlessly re-started. It will immediately recover all the needed information from NGINX App Protect DoS instances that communicate to it every 10 sec. It’s downtime is around 10-20 seconds which will not affect the NGINX App Protect DoS working. +The Arbitrator service is standalone. Once it is down, it can be seamlessly re-started. It will immediately recover all the needed information from F5 DoS for NGINX instances that communicate to it every 10 sec. It’s downtime is around 10-20 seconds which will not affect the F5 DoS for NGINX working. -NGINX App Protect DoS Arbitrator service connects to port 3000 and can be seen under App Protect DoS instances. All modules try to connect to this service automatically. If it’s not accessible, each instance works in standalone mode. +F5 DoS for NGINX Arbitrator service connects to port 3000 and can be seen under App Protect DoS instances. All modules try to connect to this service automatically. If it’s not accessible, each instance works in standalone mode. -There is no such option for authentications between NGINX App Protect DoS servers and Arbitrator service like MTLS or password . Currently Arbitrator service is not exposed outside of the namespace. It is customers responsibility to isolate it from outside. It is applicable to any deployment of Arbitrator, not only to multi-VM. +There is no such option for authentications between F5 DoS for NGINX servers and Arbitrator service like MTLS or password . Currently Arbitrator service is not exposed outside of the namespace. It is customers responsibility to isolate it from outside. It is applicable to any deployment of Arbitrator, not only to multi-VM. ## Post-Installation Checks -You can run the following commands to ensure that NGINX App Protect DoS enforcement is operational. +You can run the following commands to ensure that F5 DoS for NGINX enforcement is operational. -1. Check that the three processes needed for NGINX App Protect DoS are running using `ps aux`: +1. Check that the three processes needed for F5 DoS for NGINX are running using `ps aux`: - admd - nginx: master process @@ -2183,7 +2183,7 @@ You can run the following commands to ensure that NGINX App Protect DoS enforcem c. See that the good traffic continue as usual while the attackers receive denial of service. -To check NGINX App Protect WAF along side NGINX App Protect DoS, just perform the normal tests as specified at [Admin Guide](https://docs.nginx.com/nginx-app-protect/admin-guide/) +To check NGINX App Protect WAF along side F5 DoS for NGINX, just perform the normal tests as specified at [Admin Guide](https://docs.nginx.com/nginx-app-protect/admin-guide/) ### Compatibility with NGINX Plus Releases @@ -2191,7 +2191,7 @@ A threat campaign package is compatible with the NGINX Plus release supported du ## Upgrading App Protect DoS -You can upgrade to the latest NGINX Plus and App Protect DoS versions by downloading and installing the latest NGINX App Protect DoS package. When upgrading from this package, App Protect DoS will be uninstalled and reinstalled. The old default security policy is deleted and the new default security policy is installed. If you have created a custom security policy, the policy persists and you will need to update `nginx.conf` and point to the custom security policy by referencing the json file (using the full path). +You can upgrade to the latest NGINX Plus and App Protect DoS versions by downloading and installing the latest F5 DoS for NGINX package. When upgrading from this package, App Protect DoS will be uninstalled and reinstalled. The old default security policy is deleted and the new default security policy is installed. If you have created a custom security policy, the policy persists and you will need to update `nginx.conf` and point to the custom security policy by referencing the json file (using the full path). If you upgrade your NGINX version outside of the App Protect DoS module, App Protect DoS will be uninstalled and you will need to reinstall it. You need to restart NGINX after an upgrade. @@ -2455,7 +2455,7 @@ http { #### App Protect DoS arb -Arbitrator (arb) is an internal service that is essential for the scaling scenarios. The arbitrator service should be deployed in the same namespace as NGINX App Protect DoS. +Arbitrator (arb) is an internal service that is essential for the scaling scenarios. The arbitrator service should be deployed in the same namespace as F5 DoS for NGINX. `appprotect-dos-arb.yaml`: @@ -2519,7 +2519,7 @@ kubectl -n appprotect-dos-wp-diff apply -f ${DIR}/appprotect-dos-arb.yaml kubectl -n appprotect-dos-wp-diff apply -f ${DIR}/svc-appprotect-dos-arb.yaml ``` -`install NGINX App Protect DoS with ARB service`: +`install F5 DoS for NGINX with ARB service`: ```shell #!/bin/bash diff --git a/content/nap-dos/directives-and-policy/_index.md b/content/nap-dos/directives-and-policy/_index.md index 0d66fcde8..2994cd207 100644 --- a/content/nap-dos/directives-and-policy/_index.md +++ b/content/nap-dos/directives-and-policy/_index.md @@ -1,6 +1,6 @@ --- description: Learn about the Directives and Policy attributes necessary to configure - F5 NGINX App Protect DoS. + F5 F5 DoS for NGINX. title: Directives and Policy weight: 120 url: /nginx-app-protect-dos/directives-and-policy/ diff --git a/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md b/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md index 3f2635b52..c74105412 100644 --- a/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md +++ b/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md @@ -1,5 +1,5 @@ --- -title: NGINX App Protect DoS Directives and Policy +title: F5 DoS for NGINX Directives and Policy toc: true weight: 120 nd-docs: DOCS-667 @@ -8,14 +8,14 @@ nd-docs: DOCS-667 ## Introduction NGINX directives are specified in the `nginx.conf` file and are used to configure various modules of NGINX.
-F5 NGINX App Protect DoS has its own set of directives, which follow the same rules as other NGINX directives, and are used to enable and configure its features.
+F5 F5 DoS for NGINX has its own set of directives, which follow the same rules as other NGINX directives, and are used to enable and configure its features.
-The table below provides a summary of all the F5 NGINX App Protect DoS directives.
+The table below provides a summary of all the F5 F5 DoS for NGINX directives.
-While only the first directive is mandatory for enabling NGINX App Protect DoS, it is recommended to use as many directives as possible to leverage the product’s full range of monitoring and application health detection capabilities. After adding these directives, ensure you reload NGINX and check the error log for any errors or warnings.
+While only the first directive is mandatory for enabling F5 DoS for NGINX, it is recommended to use as many directives as possible to leverage the product’s full range of monitoring and application health detection capabilities. After adding these directives, ensure you reload NGINX and check the error log for any errors or warnings.
## Directives table -Below is a summary of all NGINX App Protect DoS directives. Detailed descriptions of each directive can be found in the following sections. +Below is a summary of all F5 DoS for NGINX directives. Detailed descriptions of each directive can be found in the following sections. {{}} @@ -130,7 +130,7 @@ Directive is optional. If not written, then each protected object (VS) will have seq: 0 for server block, increments for each location block. i.e. VS created from server block will have 0 and VS's from location blocks will be 1,2,3,... (i.e. `1`) - `location name:` the name of the location (i.e. `/abc`) -NGINX App Protect DoS supports up to 300 Protected Objects for versions up to 4.3, and 1,000 Protected Objects in version 4.4 and above.
+F5 DoS for NGINX supports up to 300 Protected Objects for versions up to 4.3, and 1,000 Protected Objects in version 4.4 and above.

**Example:** @@ -158,21 +158,21 @@ Monitor directive has four arguments - **uri**, **protocol**, **timeout** and ** - **Protocol** - determines the protocol type of the service. Options are `http1 / http2 / grpc / websocket`.
Default: `http1`.
- {{< call-out "note" >}}HTTP2 and gRPC are supported from NGINX App Protect DoS v2, while WebSocket is supported from NGINX App Protect DoS v4. {{< /call-out >}} + {{< call-out "note" >}}HTTP2 and gRPC are supported from F5 DoS for NGINX v2, while WebSocket is supported from F5 DoS for NGINX v4. {{< /call-out >}} -- **Timeout** - determines how long (in seconds) should NGINX App Protect DoS wait for a response.
Default: 10 seconds for `http1/http2/websocket` and 5 seconds for `grpc`.
+- **Timeout** - determines how long (in seconds) should F5 DoS for NGINX wait for a response.
Default: 10 seconds for `http1/http2/websocket` and 5 seconds for `grpc`.
- **Proxy Protocol** - Should be used when the listen directive of the corresponding server block contains the proxy_protocol parameter. It adds an HAProxy PROXY protocol header to the monitor request.
Format is **proxy_protocol | proxy_protocol=on**.
Default: off.
- {{< call-out "note" >}}The proxy_protocol is supported from NGINX App Protect DoS v3.1. {{< /call-out >}} + {{< call-out "note" >}}The proxy_protocol is supported from F5 DoS for NGINX v3.1. {{< /call-out >}} -#### For Older Versions (NGINX App Protect DoS v1) +#### For Older Versions (F5 DoS for NGINX v1) -In NGINX App Protect DoS v1, the app_protect_dos_monitor directive has only one argument: uri. +In F5 DoS for NGINX v1, the app_protect_dos_monitor directive has only one argument: uri. Only HTTP1 is supported.

@@ -190,7 +190,7 @@ location / { } ``` -{{< call-out "note" >}}For NGINX App Protect DoS v1, use: app_protect_dos_monitor ; {{< /call-out >}} +{{< call-out "note" >}}For F5 DoS for NGINX v1, use: app_protect_dos_monitor ; {{< /call-out >}} 2. HTTP/2 Over SSL @@ -277,7 +277,7 @@ Second argument is the destination (the location which the events will be sent t - `stderr` (**default**) - `{absolute_file_path}`, i.e. `/shared/dos_sec_logger.log` -Implemented according to: [NGINX App Protect DoS Security Log]({{< ref "/nap-dos/monitoring/security-log.md" >}}) +Implemented according to: [F5 DoS for NGINX Security Log]({{< ref "/nap-dos/monitoring/security-log.md" >}}) {{< call-out "note" >}} @@ -336,7 +336,7 @@ Second and Third arguments are optional; if one or more is not written, the defa If liveness is enabled, a request with URI and PORT that matches the probe configuration (i.e. `/app_protect_dos_liveness:8090`) will be answered with RC 200 "Alive" by our NGINX module, without being counted or pass to other handlers nor the backend server. -Any other response will indicate that our NGINX module (NGINX App Protect DoS) has not received the request (possibly means that NGINX is down). +Any other response will indicate that our NGINX module (F5 DoS for NGINX) has not received the request (possibly means that NGINX is down). **Example:** @@ -363,7 +363,7 @@ Second and Third arguments are optional; if one or more is not written, the defa If readiness is enabled, a request with URI and PORT that matches the probe configuration (i.e. `/app_protect_dos_readiness:8090`) will be answered with RC 200 "Ready" or RC 503 "Not Ready" by our NGINX module, without being counted or pass to other handlers nor the backend server. -Any other response will indicate that our NGINX module (NGINX App Protect DoS) has not received the request (possibly means that NGINX is down). +Any other response will indicate that our NGINX module (F5 DoS for NGINX) has not received the request (possibly means that NGINX is down). RC 200 "Ready" will occur if two conditions are met: @@ -402,7 +402,7 @@ This directive is used to enable the App Protect DoS monitoring capability via R The REST API interface provides extended metrics information of the Protected Objects. It can be used by sending REST API requests manually or by using the App Protect DoS dashboard page. -For more information refer to [NGINX App Protect DoS Live Activity Monitoring]({{< ref "/nap-dos/monitoring/live-activity-monitoring.md" >}}) +For more information refer to [F5 DoS for NGINX Live Activity Monitoring]({{< ref "/nap-dos/monitoring/live-activity-monitoring.md" >}}) **Example:** @@ -432,13 +432,13 @@ syn_drop is an optional parameter; the default value is "off".
syn_drop=on mode is applicable for plane HTTP services or HTTPS when the `tls_fingerprint` feature is disabled. Refer to policy parameter "tls_fingerprint" in [Policy directive](#policy-directive-app_protect_dos_policy_file). In syn_drop mode, the SYN packet of detected bad actors will be dropped. -syn_drop mode is recommended for the deployments of NGINX App Protect DoS at the perimeter network or behind L3 load balancer. -Using this mode when NGINX App Protect DoS is deployed behind L4/L7 load balancer may result in the load balancer’s starvation during an attack. +syn_drop mode is recommended for the deployments of F5 DoS for NGINX at the perimeter network or behind L3 load balancer. +Using this mode when F5 DoS for NGINX is deployed behind L4/L7 load balancer may result in the load balancer’s starvation during an attack. {{< call-out "note" >}} To use this directive you need to install the eBPF package. -For more information about eBPF, you can read the [Accelerating DDoS Mitigation with eBPF in F5 NGINX App Protect DoS](https://www.f5.com/company/blog/nginx/accelerating-ddos-mitigation-with-ebpf-in-f5-nginx-app-protect-dos) article. +For more information about eBPF, you can read the [Accelerating DDoS Mitigation with eBPF in F5 F5 DoS for NGINX](https://www.f5.com/company/blog/nginx/accelerating-ddos-mitigation-with-ebpf-in-f5-nginx-app-protect-dos) article. {{< /call-out >}} diff --git a/content/nap-dos/monitoring/_index.md b/content/nap-dos/monitoring/_index.md index 8485a67c4..fcfcc015b 100644 --- a/content/nap-dos/monitoring/_index.md +++ b/content/nap-dos/monitoring/_index.md @@ -1,6 +1,6 @@ --- description: Documentation explaining how to monitor, generate logs for, and debug - F5 NGINX App Protect DoS. + F5 F5 DoS for NGINX. title: Monitoring weight: 130 url: /nginx-app-protect-dos/monitoring/ diff --git a/content/nap-dos/monitoring/access-log.md b/content/nap-dos/monitoring/access-log.md index 0efcb3fb0..f9cac357b 100644 --- a/content/nap-dos/monitoring/access-log.md +++ b/content/nap-dos/monitoring/access-log.md @@ -1,7 +1,7 @@ --- -description: Learn about the F5 NGINX App Protect DoS Request Log Mechanism. +description: Learn about the F5 F5 DoS for NGINX Request Log Mechanism. nd-docs: DOCS-668 -title: NGINX App Protect DoS Access Log Request Mechanism +title: F5 DoS for NGINX Access Log Request Mechanism toc: true weight: 160 type: diff --git a/content/nap-dos/monitoring/live-activity-monitoring.md b/content/nap-dos/monitoring/live-activity-monitoring.md index e28fb571b..59d4e5ed6 100644 --- a/content/nap-dos/monitoring/live-activity-monitoring.md +++ b/content/nap-dos/monitoring/live-activity-monitoring.md @@ -1,25 +1,25 @@ --- -description: Learn about the F5 NGINX App Protect DoS Live Activity Monitoring. +description: Learn about the F5 F5 DoS for NGINX Live Activity Monitoring. nd-docs: DOCS-1389 -title: NGINX App Protect DoS Live Activity Monitoring +title: F5 DoS for NGINX Live Activity Monitoring toc: true weight: 140 type: - how-to --- -{{< img src="/dashboard/dos-tab.png" alt="NGINX App Protect DoS Dashboard" >}} +{{< img src="/dashboard/dos-tab.png" alt="F5 DoS for NGINX Dashboard" >}} ## Overview -F5 NGINX App Protect DoS offers a variety of application monitoring tools: +F5 F5 DoS for NGINX offers a variety of application monitoring tools: - **App Protect DoS Dashboard Page**: This dynamic interface provides real-time monitoring and details of Protected Objects. -- **NGINX App Protect DoS REST API**: This interface offers comprehensive metrics about the Protected Objects. +- **F5 DoS for NGINX REST API**: This interface offers comprehensive metrics about the Protected Objects. ## Prerequisites -- NGINX Plus R26 or later is required for accessing the NGINX App Protect DoS REST API and the DoS Dashboard. +- NGINX Plus R26 or later is required for accessing the F5 DoS for NGINX REST API and the DoS Dashboard. ## API Configuration Steps @@ -133,7 +133,7 @@ In multi-instance environments with an arbitrator, these statistics will be comb | Mitigations/s | - | Number of mitigated requests per second | | Requests | - | Total number of incoming requests | | Mitigations | - | Total number of mitigated requests | -| Learning | [ready\|ba only\|not ready] | Whether NGINX App Protect DoS collected enough data to protect the Protected Object | +| Learning | [ready\|ba only\|not ready] | Whether F5 DoS for NGINX collected enough data to protect the Protected Object | | Protocol | [http1\|http2\|grpc] | As defined by the `protocol` argument of the `app_protect_dos_monitor` directive | | Mitigation Mode | [standard\|conservative\|none] | As defined by the `mitigation_mode` object in the JSON policy file from the `app_protect_dos_policy_file` directive | | Signatures | [on\|off] | As defined by the `signatures` object in the JSON policy file from the `app_protect_dos_policy_file` directive. Values - on/off | diff --git a/content/nap-dos/monitoring/operation-log.md b/content/nap-dos/monitoring/operation-log.md index 2a12d5eaf..3aa07a669 100644 --- a/content/nap-dos/monitoring/operation-log.md +++ b/content/nap-dos/monitoring/operation-log.md @@ -1,7 +1,7 @@ --- -description: Learn about the F5 NGINX App Protect DoS Operation Log. +description: Learn about the F5 F5 DoS for NGINX Operation Log. nd-docs: DOCS-669 -title: NGINX App Protect DoS Operation Log +title: F5 DoS for NGINX Operation Log toc: true weight: 180 type: @@ -18,7 +18,7 @@ The operation logs consists of system operational and health events. The events |Event Type|Level|Meaning| |--------- |-----|------ | -|Configuration Error |error |There were errors in the [directives]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md" >}}) in the `nginx.conf` file.
Configuration error event is produced when one of F5 NGINX App Protect DoS directives is supplied with an incorrect data. An additional information will be added to the message, describing what was incorrect. NGINX will run with default values for this directive.
Please note that if the directive supplied with an incorrect number of arguments then NGINX will issue an error and NGINX will not run. It is a generic NGINX behavior.| +|Configuration Error |error |There were errors in the [directives]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md" >}}) in the `nginx.conf` file.
Configuration error event is produced when one of F5 F5 DoS for NGINX directives is supplied with an incorrect data. An additional information will be added to the message, describing what was incorrect. NGINX will run with default values for this directive.
Please note that if the directive supplied with an incorrect number of arguments then NGINX will issue an error and NGINX will not run. It is a generic NGINX behavior.| {{}} @@ -50,7 +50,7 @@ The operation logs consists of system operational and health events. The events |Event Type|Level|Meaning| |--------- |-----|------ | -|Configuration Load Success | notice |The `APP_PROTECT_DOS` configuration process ended successfully: all policies, log configuration and global settings were loaded to NGINX App Protect DoS and all traffic will be handled by this configuration. The `error_message` contains warnings. This event is also generated on the initial configuration (when NGINX Plus starts).| +|Configuration Load Success | notice |The `APP_PROTECT_DOS` configuration process ended successfully: all policies, log configuration and global settings were loaded to F5 DoS for NGINX and all traffic will be handled by this configuration. The `error_message` contains warnings. This event is also generated on the initial configuration (when NGINX Plus starts).| {{}} diff --git a/content/nap-dos/monitoring/security-log.md b/content/nap-dos/monitoring/security-log.md index 642cde34e..16194c0bf 100644 --- a/content/nap-dos/monitoring/security-log.md +++ b/content/nap-dos/monitoring/security-log.md @@ -1,7 +1,7 @@ --- -description: Learn about the F5 NGINX App Protect DoS Security Log. +description: Learn about the F5 F5 DoS for NGINX Security Log. nd-docs: DOCS-670 -title: NGINX App Protect DoS Security Log +title: F5 DoS for NGINX Security Log toc: true weight: 140 type: @@ -24,7 +24,7 @@ The following table lists all the possible fields in the logs and their meaning. |----------------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `date_time` | string | the date and time of the event | | `product` | string | always set to `app-protect-dos` | -| `product_version` | string | F5 NGINX App Protect DoS version | +| `product_version` | string | F5 F5 DoS for NGINX version | | `unit_hostname` | string | host name of the app-protect-dos instance | | `instance_id` | string | instance ID: container id from `/proc/self/cgroup`or hostname if container is is not available | | `vs_name` | string | A unique identifier (representing the protected object's name) of the location in the `nginx.conf` file that this request is associated with. It contains the line number of the containing server block in `nginx.conf`, the server name, a numeric discriminator that distinguishes between multiple entries within the same server, and the location name.
For example: `34-mydomain.com:0-~/.*php(2)`. | @@ -336,7 +336,7 @@ mitigated_connections_rps="0", ``` ### 2. Bad actor detection/expiration -Reports NGINX App Protect DoS decisions regarding bad actors. +Reports F5 DoS for NGINX decisions regarding bad actors. a. Example: **Bad Actor Detection** @@ -369,7 +369,7 @@ impact_rps="12", ``` ### 3. Attack signatures -Reports NGINX App Protect DoS decisions regarding signatures.
+Reports F5 DoS for NGINX decisions regarding signatures.
Example: **Attack Signature Detected** diff --git a/content/nap-dos/monitoring/types-of-logs.md b/content/nap-dos/monitoring/types-of-logs.md index 865adafd7..a127408c7 100644 --- a/content/nap-dos/monitoring/types-of-logs.md +++ b/content/nap-dos/monitoring/types-of-logs.md @@ -1,7 +1,7 @@ --- -description: Learn about the F5 NGINX App Protect DoS Logs Overview. +description: Learn about the F5 F5 DoS for NGINX Logs Overview. nd-docs: DOCS-671 -title: NGINX App Protect DoS Logs Overview +title: F5 DoS for NGINX Logs Overview toc: true weight: 130 type: @@ -13,7 +13,7 @@ There are 4 types of logs corresponding to App Protect DoS: - [Security Log](#security-log): The general picture of the site and how App Protect DoS processed it, including anomalies and signatures found. - [Operation Log](#operation-log): Events such as configuration errors or warnings. - [Debug Logs](#debug-log): Technical messages at different levels of severity used to debug and resolve incidents and error behaviors. -- [Request Logging](#request-log): F5 NGINX App Protect DoS adds information to each request logged to NGINX's access logging mechanism. +- [Request Logging](#request-log): F5 F5 DoS for NGINX adds information to each request logged to NGINX's access logging mechanism. {{< call-out "note" >}} NGINX does not have audit logs in the sense of *"**who** did **what**"*. This can be done either from the orchestration system controlling NGINX (such as NGINX Controller) or by tracking the configuration files and the systemd invocations using Linux tools. @@ -25,13 +25,13 @@ NGINX does not have audit logs in the sense of *"**who** did **what**"*. This ca |----|-----------------|-----------------------|-----------------|--------------------| | Debug | Log file name is the redirection in the invocation of the `admd` command line in the start script | Global (not part of `nginx.conf`)|Yes. Log file is in /var/log/adm/admd.log directory. There is currently no file rotation capability available for this log.| No | | Operation | `error_log` directive, part of core NGINX | `nginx.conf` - global | Yes, NGINX error log | Yes, NGINX error log | -|Request |NGINX has two directives for the access log:
- **access_log** - to turn [on\|off]
- **log_format** - to specify the required information regarding each request

NGINX App Protect DoS has several variables that can be added to the log_format directive, such as $app_protect_dos_outcome.

For more information refer to [NGINX App Protect DoS Access Log]({{< ref "/nap-dos/monitoring/access-log.md" >}}) | `nginx.conf` - global| Yes, NGINX access log | Yes, NGINX access log | -| Security | NGINX App Protect DoS has two directives in `nginx.conf`:
- app_protect_dos_security_log_enable to turn logging [on\|off]
- app_protect_dos_security_log to set it's logging configuration and destination

For more information refer:
- **Configuration**: [App Protect DoS - Directives and Policy]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md">}})
- **Usage**: [NGINX App Protect DoS - Security Log]({{< ref "/nap-dos/monitoring/security-log.md" >}}) | `nginx.conf`: http, server, location | Yes, either stderr, or an absolute path to a local file are supported | Yes | +|Request |NGINX has two directives for the access log:
- **access_log** - to turn [on\|off]
- **log_format** - to specify the required information regarding each request

F5 DoS for NGINX has several variables that can be added to the log_format directive, such as $app_protect_dos_outcome.

For more information refer to [F5 DoS for NGINX Access Log]({{< ref "/nap-dos/monitoring/access-log.md" >}}) | `nginx.conf` - global| Yes, NGINX access log | Yes, NGINX access log | +| Security | F5 DoS for NGINX has two directives in `nginx.conf`:
- app_protect_dos_security_log_enable to turn logging [on\|off]
- app_protect_dos_security_log to set it's logging configuration and destination

For more information refer:
- **Configuration**: [App Protect DoS - Directives and Policy]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md">}})
- **Usage**: [F5 DoS for NGINX - Security Log]({{< ref "/nap-dos/monitoring/security-log.md" >}}) | `nginx.conf`: http, server, location | Yes, either stderr, or an absolute path to a local file are supported | Yes | {{}} ## Security Log - The security logs contain information about the status of the protected objects. It gives a general picture about each protected object in terms of traffic intensity, health of the backend server, learning and mitigations. For more information refer to [NGINX App Protect DoS Security Log]({{< ref "/nap-dos/monitoring/security-log.md" >}}) documentation. + The security logs contain information about the status of the protected objects. It gives a general picture about each protected object in terms of traffic intensity, health of the backend server, learning and mitigations. For more information refer to [F5 DoS for NGINX Security Log]({{< ref "/nap-dos/monitoring/security-log.md" >}}) documentation. ## Operation Log The operation logs consists of system operational and health events. The events are sent to the NGINX error log and are distinguished by the `APP_PROTECT_DOS` prefix followed by JSON body. The log level depends on the event: success is usually indicated by `notice`, while failure is indicated by `error`. The timestamp is inherent in the error log. For more information refer to [App Protect DoS Operation Log]({{< ref "/nap-dos/monitoring/operation-log.md" >}}) documentation. @@ -43,13 +43,13 @@ NGINX does not have audit logs in the sense of *"**who** did **what**"*. This ca This directive determines the format of the log messages using predefined variables. App Protect DoS will enrich this set of variables with several security log attributes that are available to be included in the `log_format`. If `log_format` is not specified then the built-in format `combined` is used but, because that format does not include the extended App Protect DoS variables, this directive must be used when the user wants to add App Protect DoS information to the log. ### access_log -This directive determines the destination of the `access_log` and the name of the format. The default is the file `/var/log/nginx/access.log` using the combined format. In order to use the custom format that includes the NGINX App Protect DoS variables, use this directive with the name of the desired format. +This directive determines the destination of the `access_log` and the name of the format. The default is the file `/var/log/nginx/access.log` using the combined format. In order to use the custom format that includes the F5 DoS for NGINX variables, use this directive with the name of the desired format. ### App Protect DoS Variables -These are the variables added to Access Log. They are a subset of the Security log attributes. The Security log names are prefixed with `$app_protect_dos`.
For more information refer to [NGINX App Protect DoS Access Log]({{< ref "/nap-dos/monitoring/access-log.md" >}}) +These are the variables added to Access Log. They are a subset of the Security log attributes. The Security log names are prefixed with `$app_protect_dos`.
For more information refer to [F5 DoS for NGINX Access Log]({{< ref "/nap-dos/monitoring/access-log.md" >}}) -## Debug Log - NGINX App Protect DoS -The NGINX App Protect DoS Debug log is used to troubleshoot the functionality of the product.
+## Debug Log - F5 DoS for NGINX +The F5 DoS for NGINX Debug log is used to troubleshoot the functionality of the product.
The path of the log is at a fixed location: `/var/log/adm/admd.log`. @@ -62,12 +62,12 @@ admd -l DEBUG_LEVEL ``` {{< call-out "note" >}} -`nginx.conf` does not refer to the NGINX App Protect DoS debug log configuration neither directly nor indirectly. +`nginx.conf` does not refer to the F5 DoS for NGINX debug log configuration neither directly nor indirectly. {{< /call-out >}} ## NGINX Error log -The NGINX Error log is used to troubleshoot the configuration portion of NGINX App Protect DoS. +The NGINX Error log is used to troubleshoot the configuration portion of F5 DoS for NGINX. The file is called `error.log` and its path and debug level is determined in `nginx.conf` by the directive `error_log`.
diff --git a/content/nap-dos/releases/_index.md b/content/nap-dos/releases/_index.md index 7ac8e5f15..b152af861 100644 --- a/content/nap-dos/releases/_index.md +++ b/content/nap-dos/releases/_index.md @@ -1,5 +1,5 @@ --- -description: Stay up-to-date with the latest F5 NGINX App Protect DoS release. +description: Stay up-to-date with the latest F5 F5 DoS for NGINX release. title: Releases weight: 220 url: /nginx-app-protect-dos/releases/ diff --git a/content/nap-dos/releases/about-1.0.md b/content/nap-dos/releases/about-1.0.md index b3741d126..3b1fca049 100644 --- a/content/nap-dos/releases/about-1.0.md +++ b/content/nap-dos/releases/about-1.0.md @@ -5,7 +5,7 @@ weight: 260 nd-docs: DOCS-672 --- -Here you can find the release information for F5 NGINX App Protect DoS v1. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v1. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 1.0 @@ -69,7 +69,7 @@ July 6, 2021 - `proxy_request_buffering off` is not supported. -- NGINX App Protect DoS does not protect `grpc` and `http2` services. The traffic is bypassed. +- F5 DoS for NGINX does not protect `grpc` and `http2` services. The traffic is bypassed. - [TLS fingerprint]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md#policy-directive-app_protect_dos_policy_file" >}}) feature is not used in CentOS 7.4 due to the old OpenSSL version. The required OpenSSL version is 1.1.1 or higher. diff --git a/content/nap-dos/releases/about-1.1.0.md b/content/nap-dos/releases/about-1.1.0.md index f853f5843..69a2df614 100644 --- a/content/nap-dos/releases/about-1.1.0.md +++ b/content/nap-dos/releases/about-1.1.0.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS Arbitrator 1.1.0 +title: F5 DoS for NGINX Arbitrator 1.1.0 toc: true weight: 220 nd-docs: DOCS-673 --- -Here you can find the release information for F5 NGINX App Protect DoS Arbitrator v1.1.0. +Here you can find the release information for F5 F5 DoS for NGINX Arbitrator v1.1.0. ## Arbitrator Service Release 1.1.0 @@ -25,13 +25,13 @@ This release is focused on security and stability. ### Important Notes -- The current release upgrades Arbitrator service only. This change is agnostic to NGINX App Protect DoS functionalities. +- The current release upgrades Arbitrator service only. This change is agnostic to F5 DoS for NGINX functionalities. - `proxy_request_buffering` off is not supported. - gRPC and HTTP/2 protection require active monitoring of the protected service. The directive `app_protect_dos_monitor` is mandatory for these use cases, otherwise, the attack will not be detected. -- gRPC and HTTP/2 protection are available only on Debian 10, Ubuntu 18.04, and Ubuntu 20.04 platforms. For the rest of the platforms, NGINX App Protect DoS does not protect gRPC and HTTP/2 services. The traffic is bypassed. +- gRPC and HTTP/2 protection are available only on Debian 10, Ubuntu 18.04, and Ubuntu 20.04 platforms. For the rest of the platforms, F5 DoS for NGINX does not protect gRPC and HTTP/2 services. The traffic is bypassed. - [TLS fingerprint]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md#policy-directive-app_protect_dos_policy_file" >}}) feature is not used in CentOS 7.4 due to the old OpenSSL version. The required OpenSSL version is 1.1.1 or higher. @@ -44,4 +44,4 @@ This release is focused on security and stability. - `successful_responses` instead of `successful_transactions`
- `unsuccessful_requests` instead of `unsuccessful_requests_count`. -- In the case of an upgrade from the previous `app-protect-dos` version, it's necessary to remove the old `nginx-plus` and install the new `app-protect-dos` that will install a correspondent version of `nginx-plus` as described in the [NGINX App Protect DoS Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). +- In the case of an upgrade from the previous `app-protect-dos` version, it's necessary to remove the old `nginx-plus` and install the new `app-protect-dos` that will install a correspondent version of `nginx-plus` as described in the [F5 DoS for NGINX Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). diff --git a/content/nap-dos/releases/about-1.1.1.md b/content/nap-dos/releases/about-1.1.1.md index 173b8e1cd..027b5f59b 100644 --- a/content/nap-dos/releases/about-1.1.1.md +++ b/content/nap-dos/releases/about-1.1.1.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS Arbitrator 1.1.1 +title: F5 DoS for NGINX Arbitrator 1.1.1 toc: true weight: 115 nd-docs: DOCS-1205 --- -Here you can find the release information for F5 NGINX App Protect DoS Arbitrator v1.1.1. +Here you can find the release information for F5 F5 DoS for NGINX Arbitrator v1.1.1. ## Arbitrator Service Release 1.1.1 diff --git a/content/nap-dos/releases/about-1.2.0.md b/content/nap-dos/releases/about-1.2.0.md index ed606e4e0..1804d59fc 100644 --- a/content/nap-dos/releases/about-1.2.0.md +++ b/content/nap-dos/releases/about-1.2.0.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS Arbitrator 1.2.0 +title: F5 DoS for NGINX Arbitrator 1.2.0 toc: true weight: 61 nd-docs: DOCS-1782 --- -Here you can find the release information for F5 NGINX App Protect DoS Arbitrator v1.2.0 +Here you can find the release information for F5 F5 DoS for NGINX Arbitrator v1.2.0 ## Arbitrator Service Release 1.2.0 diff --git a/content/nap-dos/releases/about-2.0.md b/content/nap-dos/releases/about-2.0.md index 7fb5b9005..81b7fecc0 100644 --- a/content/nap-dos/releases/about-2.0.md +++ b/content/nap-dos/releases/about-2.0.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS 2.0 +title: F5 DoS for NGINX 2.0 toc: true weight: 220 nd-docs: DOCS-674 --- -Here you can find the release information for F5 NGINX App Protect DoS v2.0. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v2.0. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 2.0 @@ -72,7 +72,7 @@ October 20, 2021 - gRPC and HTTP/2 protection require active monitoring of the protected service. The directive `app_protect_dos_monitor` is mandatory for these use cases, otherwise, the attack will not be detected. -- gRPC and HTTP/2 protection are available only on Debian 10, Ubuntu 18.04 and Ubuntu 20.04 platforms. For the rest of the platforms, NGINX App Protect DoS does not protect gRPC and HTTP/2 services. The traffic is bypassed. +- gRPC and HTTP/2 protection are available only on Debian 10, Ubuntu 18.04 and Ubuntu 20.04 platforms. For the rest of the platforms, F5 DoS for NGINX does not protect gRPC and HTTP/2 services. The traffic is bypassed. - [TLS fingerprint]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md#policy-directive-app_protect_dos_policy_file" >}}) feature is not used in CentOS 7.4 due to the old OpenSSL version. The required OpenSSL version is 1.1.1 or higher. @@ -85,4 +85,4 @@ October 20, 2021 - `successful_responses` instead of `successful_transactions`
- `unsuccessful_requests` instead of `unsuccessful_requests_count`. -- In the case of an upgrade from the previous `app-protect-dos` version, it's necessary to remove the old `nginx-plus` and install the new `app-protect-dos` that will install a correspondent version of `nginx-plus` as described in the [NGINX App Protect DoS Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). +- In the case of an upgrade from the previous `app-protect-dos` version, it's necessary to remove the old `nginx-plus` and install the new `app-protect-dos` that will install a correspondent version of `nginx-plus` as described in the [F5 DoS for NGINX Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). diff --git a/content/nap-dos/releases/about-2.1.md b/content/nap-dos/releases/about-2.1.md index 462ba2bbe..fb584cb6b 100644 --- a/content/nap-dos/releases/about-2.1.md +++ b/content/nap-dos/releases/about-2.1.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS 2.1 +title: F5 DoS for NGINX 2.1 toc: true weight: 200 nd-docs: DOCS-831 --- -Here you can find the release information for F5 NGINX App Protect DoS v2.1. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v2.1. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 2.1 diff --git a/content/nap-dos/releases/about-2.2.md b/content/nap-dos/releases/about-2.2.md index 147cd6f51..cec7466b0 100644 --- a/content/nap-dos/releases/about-2.2.md +++ b/content/nap-dos/releases/about-2.2.md @@ -1,17 +1,17 @@ --- -title: NGINX App Protect DoS 2.2 +title: F5 DoS for NGINX 2.2 toc: true weight: 180 nd-docs: DOCS-839 --- -Here you can find the release information for F5 NGINX App Protect DoS v2.2. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v2.2. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 2.2 February 15, 2022 -In this release, support for NGINX App Protect DoS is added to NGINX Plus R26. +In this release, support for F5 DoS for NGINX is added to NGINX Plus R26. ### New Features @@ -50,7 +50,7 @@ In this release, support for NGINX App Protect DoS is added to NGINX Plus R26. - Monitor requests are sent in new connections. It improves monitoring health capability and allows better detection of slow POST attacks. - Adaptive memory allocation by adminstall in order to support maximum cores. - The amount of allocated memory for NGINX App Protect DoS is controlled by an argument of adminstall. + The amount of allocated memory for F5 DoS for NGINX is controlled by an argument of adminstall. The default value is 80 MB. For certain deployments, this amount of memory size is not enough. The default memory size is adaptive now. If the Virtual Machine (VM) has a big number of CPU cores, then we can also increase the amount of memory. For the case of up to 4 CPU cores, the allocated memory is 80MB, for more than 4 CPU cores, the allocated memory will be calculated as 80MB + CPUs * 2.5MB diff --git a/content/nap-dos/releases/about-2.3.md b/content/nap-dos/releases/about-2.3.md index c98c7be28..c0c70fcea 100644 --- a/content/nap-dos/releases/about-2.3.md +++ b/content/nap-dos/releases/about-2.3.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS 2.3 +title: F5 DoS for NGINX 2.3 toc: true weight: 170 nd-docs: DOCS-856 --- -Here you can find the release information for F5 NGINX App Protect DoS v2.3. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v2.3. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 2.3 diff --git a/content/nap-dos/releases/about-2.4.md b/content/nap-dos/releases/about-2.4.md index bf8502638..c20de446c 100644 --- a/content/nap-dos/releases/about-2.4.md +++ b/content/nap-dos/releases/about-2.4.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS 2.4 +title: F5 DoS for NGINX 2.4 toc: true weight: 160 nd-docs: DOCS-890 --- -Here you can find the release information for F5 NGINX App Protect DoS v2.4. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v2.4. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 2.4 @@ -54,7 +54,7 @@ June 28, 2022 ### Resolved Issues -- Honoring allow/deny directives for restricting access to the NGINX App Protect DoS Live Activity Monitoring API location. +- Honoring allow/deny directives for restricting access to the F5 DoS for NGINX Live Activity Monitoring API location. ### Important Notes diff --git a/content/nap-dos/releases/about-3.0.md b/content/nap-dos/releases/about-3.0.md index 9310fa583..fe076afd2 100644 --- a/content/nap-dos/releases/about-3.0.md +++ b/content/nap-dos/releases/about-3.0.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS 3.0 +title: F5 DoS for NGINX 3.0 toc: true weight: 150 nd-docs: DOCS-946 --- -Here you can find the release information for F5 NGINX App Protect DoS v3.0. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v3.0. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 3.0 @@ -15,7 +15,7 @@ September 21, 2022 - L4 mitigation (with eBPF) - DoS Live Activity Monitoring with requests mitigation graphs -- DoS Live Activity Monitoring support for multi-instances NGINX App Protect DoS setups (multi-VMs, multi-replicas) +- DoS Live Activity Monitoring support for multi-instances F5 DoS for NGINX setups (multi-VMs, multi-replicas) ### Supported Packages @@ -57,8 +57,8 @@ September 21, 2022 ### Important Notes - L4 (eBPF) mitigation helps mitigate volumetric attacks by slowing down the opening of TCP connections by the attackers. -It is recommended to deploy NGINX App Protect DoS with L4 (eBPF) mitigation at the perimeter network or behind L3 load balancer. -Installing NGINX App Protect DoS with L4 (eBPF) mitigation behind L4/L7 load balancer may result in the load balancer's starvation during an attack. +It is recommended to deploy F5 DoS for NGINX with L4 (eBPF) mitigation at the perimeter network or behind L3 load balancer. +Installing F5 DoS for NGINX with L4 (eBPF) mitigation behind L4/L7 load balancer may result in the load balancer's starvation during an attack. - If NGINX App Protect WAF is installed, app protect should be disabled for the location of DoS Live Activity Monitoring API. diff --git a/content/nap-dos/releases/about-3.1.md b/content/nap-dos/releases/about-3.1.md index 6c2311330..f476dd9a3 100644 --- a/content/nap-dos/releases/about-3.1.md +++ b/content/nap-dos/releases/about-3.1.md @@ -1,26 +1,26 @@ --- -title: NGINX App Protect DoS 3.1 +title: F5 DoS for NGINX 3.1 toc: true weight: 140 nd-docs: DOCS-995 --- -Here you can find the release information for F5 NGINX App Protect DoS v3.1. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v3.1. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 3.1 November 29, 2022 -In this release, NGINX App Protect DoS supports NGINX Plus R28. +In this release, F5 DoS for NGINX supports NGINX Plus R28. ### New Features - Support for NGINX Plus R28. -- NGINX App protect DoS can be deployed behind L4/L7 load balancers when L4 protection is enabled. -- Fixed the issue: Installing NGINX App protect DoS with L4 (eBPF) mitigation behind L4/L7 load balancer may result in the load balancer's starvation during an attack. +- F5 DoS for NGINX can be deployed behind L4/L7 load balancers when L4 protection is enabled. +- Fixed the issue: Installing F5 DoS for NGINX with L4 (eBPF) mitigation behind L4/L7 load balancer may result in the load balancer's starvation during an attack. - Support for [proxy_protocol]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md#monitor-directive-app_protect_dos_monitor" >}}) configuration for server health monitoring.
Previously, server health monitoring could not be used when the listen directive of the correspondent server block contained the `proxy_protocol` parameter.
-This disallowed using NGINX App protect DoS for Denial of Service (DoS) protection for HTTP2 and gRPC protected objects in the `proxy_protocol` configuration. +This disallowed using F5 DoS for NGINX for Denial of Service (DoS) protection for HTTP2 and gRPC protected objects in the `proxy_protocol` configuration. ### Supported Packages diff --git a/content/nap-dos/releases/about-4.0.md b/content/nap-dos/releases/about-4.0.md index 5dab6acfd..95a8fa1a7 100644 --- a/content/nap-dos/releases/about-4.0.md +++ b/content/nap-dos/releases/about-4.0.md @@ -1,11 +1,11 @@ --- -title: NGINX App Protect DoS 4.0 +title: F5 DoS for NGINX 4.0 toc: true weight: 120 nd-docs: DOCS-1115 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.0. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v4.0. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 4.0 diff --git a/content/nap-dos/releases/about-4.1.md b/content/nap-dos/releases/about-4.1.md index 442e20563..3b7543d2f 100644 --- a/content/nap-dos/releases/about-4.1.md +++ b/content/nap-dos/releases/about-4.1.md @@ -1,17 +1,17 @@ --- -title: NGINX App Protect DoS 4.1 +title: F5 DoS for NGINX 4.1 toc: true weight: 110 nd-docs: DOCS-1203 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.1. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v4.1. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 4.1 May 2, 2023 -In this release, NGINX App Protect DoS supports NGINX Plus R29. +In this release, F5 DoS for NGINX supports NGINX Plus R29. ### New Features @@ -91,4 +91,4 @@ In this release, NGINX App Protect DoS supports NGINX Plus R29. - The recommended option of running NGINX Plus in a Docker Container is with the `daemon off` flag. It's mandatory for UBI 8. -- The package dependencies for NGINX App Protect DoS have changed in this release, replacing the `curl` dependencies with `libcurl` only. For more information, see the [NGINX App Protect DoS Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md#prerequisites" >}}). +- The package dependencies for F5 DoS for NGINX have changed in this release, replacing the `curl` dependencies with `libcurl` only. For more information, see the [F5 DoS for NGINX Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md#prerequisites" >}}). diff --git a/content/nap-dos/releases/about-4.2.md b/content/nap-dos/releases/about-4.2.md index 03152db74..88911fefa 100644 --- a/content/nap-dos/releases/about-4.2.md +++ b/content/nap-dos/releases/about-4.2.md @@ -1,17 +1,17 @@ --- -title: NGINX App Protect DoS 4.2 +title: F5 DoS for NGINX 4.2 toc: true weight: 100 nd-docs: DOCS-1254 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.2. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v4.2. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 4.2 August 15, 2023 -In this release, NGINX App Protect DoS supports NGINX Plus R30. +In this release, F5 DoS for NGINX supports NGINX Plus R30. ### New Features @@ -95,6 +95,6 @@ In this release, NGINX App Protect DoS supports NGINX Plus R30. - The recommended option of running NGINX Plus in a Docker Container is with the `daemon off` flag. It's mandatory for UBI 8. -- The package dependencies for NGINX App Protect DoS have changed in this release, replacing the `curl` dependencies with `libcurl` only. For more information, see the [NGINX App Protect DoS Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md#prerequisites" >}}). +- The package dependencies for F5 DoS for NGINX have changed in this release, replacing the `curl` dependencies with `libcurl` only. For more information, see the [F5 DoS for NGINX Deployment Guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md#prerequisites" >}}). - Starting with this release, Ubuntu 18.04 support has been deprecated. diff --git a/content/nap-dos/releases/about-4.3.md b/content/nap-dos/releases/about-4.3.md index 5ae85ca28..19b6f8d69 100644 --- a/content/nap-dos/releases/about-4.3.md +++ b/content/nap-dos/releases/about-4.3.md @@ -1,17 +1,17 @@ --- -title: NGINX App Protect DoS 4.3 +title: F5 DoS for NGINX 4.3 toc: true weight: 90 nd-docs: DOCS-1361 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.3. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v4.3. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 4.3 December 19, 2023 -In this release, NGINX App Protect DoS supports NGINX Plus R31. +In this release, F5 DoS for NGINX supports NGINX Plus R31. ### New Features diff --git a/content/nap-dos/releases/about-4.4.md b/content/nap-dos/releases/about-4.4.md index 9bd7ac240..dcacb406a 100644 --- a/content/nap-dos/releases/about-4.4.md +++ b/content/nap-dos/releases/about-4.4.md @@ -1,17 +1,17 @@ --- -title: NGINX App Protect DoS 4.4 +title: F5 DoS for NGINX 4.4 toc: true weight: 80 nd-docs: DOCS-1785 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.4. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +Here you can find the release information for F5 F5 DoS for NGINX v4.4. F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 4.4 May 29, 2024 -In this release, NGINX App Protect DoS supports NGINX Plus R32. +In this release, F5 DoS for NGINX supports NGINX Plus R32. ### New Features diff --git a/content/nap-dos/releases/about-4.5.md b/content/nap-dos/releases/about-4.5.md index 969d4e6b1..a1ba513cd 100644 --- a/content/nap-dos/releases/about-4.5.md +++ b/content/nap-dos/releases/about-4.5.md @@ -1,13 +1,13 @@ --- -title: NGINX App Protect DoS 4.5 +title: F5 DoS for NGINX 4.5 toc: true weight: 70 nd-docs: DOCS-1784 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.5 +Here you can find the release information for F5 F5 DoS for NGINX v4.5 -NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. --- @@ -15,7 +15,7 @@ NGINX App Protect DoS provides behavioral protection against Denial of Service ( Nov 19, 2024 -NGINX App Protect DoS 4.5 adds support for NGINX Plus R33. +F5 DoS for NGINX 4.5 adds support for NGINX Plus R33. --- diff --git a/content/nap-dos/releases/about-4.6.md b/content/nap-dos/releases/about-4.6.md index b45af1e0d..58f9689c1 100644 --- a/content/nap-dos/releases/about-4.6.md +++ b/content/nap-dos/releases/about-4.6.md @@ -1,13 +1,13 @@ --- -title: NGINX App Protect DoS 4.6 +title: F5 DoS for NGINX 4.6 toc: true weight: 60 nd-docs: DOCS-1783 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.6 +Here you can find the release information for F5 F5 DoS for NGINX v4.6 -NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. --- diff --git a/content/nap-dos/releases/about-4.7.md b/content/nap-dos/releases/about-4.7.md index 77e7f2e9a..8fa7cb6c8 100644 --- a/content/nap-dos/releases/about-4.7.md +++ b/content/nap-dos/releases/about-4.7.md @@ -1,13 +1,13 @@ --- -title: NGINX App Protect DoS 4.7 +title: F5 DoS for NGINX 4.7 toc: true weight: 50 nd-docs: DOCS-1783 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.7 +Here you can find the release information for F5 F5 DoS for NGINX v4.7 -NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. +F5 DoS for NGINX provides behavioral protection against Denial of Service (DoS) for your web applications. ## Release 4.7 diff --git a/content/nap-dos/troubleshooting-guide/_index.md b/content/nap-dos/troubleshooting-guide/_index.md index ccc6eeebc..6597d168d 100644 --- a/content/nap-dos/troubleshooting-guide/_index.md +++ b/content/nap-dos/troubleshooting-guide/_index.md @@ -1,5 +1,5 @@ --- -description: Learn how to troubleshoot your F5 NGINX App Protect DoS deployment. +description: Learn how to troubleshoot your F5 F5 DoS for NGINX deployment. title: Troubleshooting Guide weight: 200 url: /nginx-app-protect-dos/troubleshooting-guide/ diff --git a/content/nap-dos/troubleshooting-guide/how-to-troubleshoot.md b/content/nap-dos/troubleshooting-guide/how-to-troubleshoot.md index 7ac06a6a7..f9e9839f6 100644 --- a/content/nap-dos/troubleshooting-guide/how-to-troubleshoot.md +++ b/content/nap-dos/troubleshooting-guide/how-to-troubleshoot.md @@ -1,7 +1,7 @@ --- -description: Learn about the F5 NGINX App Protect DoS Troubleshooting Guide. +description: Learn about the F5 F5 DoS for NGINX Troubleshooting Guide. nd-docs: DOCS-675 -title: NGINX App Protect DoS Troubleshooting Guide +title: F5 DoS for NGINX Troubleshooting Guide toc: true weight: 200 type: @@ -10,7 +10,7 @@ type: ## Overview -This Troubleshooting Guide is intended to provide guidance to customers in the detection and correction of programming issues in F5 NGINX App Protect DoS. It may also be useful to IT. +This Troubleshooting Guide is intended to provide guidance to customers in the detection and correction of programming issues in F5 F5 DoS for NGINX. It may also be useful to IT. ## Resolving Known Problems @@ -22,11 +22,11 @@ This Troubleshooting Guide is intended to provide guidance to customers in the d |-------|--------| | NGINX is not running (ps -aux)

Reloading NGINX fails| Check the error log at `/var/log/nginx/error.log`.
Fix the problem and re-run NGINX.| | No original source IP in logs|1. XFF is not configured (or not configured correctly)
2. External Load Balancer doesn't forward XFF | -| NGINX App Protect DoS functionality is not as expected| NGINX App Protect DoS has several logs which can be used for troubleshooting.
Usually, it is best to look for any warning or error messages within the logs.
Refer to [Logs Overview]({{< ref "/nap-dos/monitoring/types-of-logs.md">}})| +| F5 DoS for NGINX functionality is not as expected| F5 DoS for NGINX has several logs which can be used for troubleshooting.
Usually, it is best to look for any warning or error messages within the logs.
Refer to [Logs Overview]({{< ref "/nap-dos/monitoring/types-of-logs.md">}})| | `Too many open files` error message | Increase number of file descriptors.
For example: `worker_rlimit_nofile 65535;` in the main context of `nginx.conf` file.
Refer to [worker_rlimit_nofile directive](https://www.nginx.com/blog/using-nginx-plus-with-selinux/) | | `setrlimit ... failed (Permission denied)` error message | Increase the limit using the following command as the root user:
`setsebool -P httpd_setrlimit 1;`
Refer to [Issue 4: Too many files are open Error](https://www.nginx.com/blog/using-nginx-plus-with-selinux/#Issue-4:-%3Ccode%3EToo-many-files-are-open%3C/code%3E-Error) | -| More protected objects than expected | The `app_protect_dos_enable` directive is inherited by all server and location blocks beneath it, each block will be a protected object.
Consider moving this directive from outer to inner block.
Refer to: [NGINX App Protect DoS - Directives and Policy]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md" >}}) | -| `No DOS protection for ngx_worker at idx X` warning message | There are more nginx processes than allowed.
Either decrease the number of nginx processes (ngx_processes directive in `nginx.conf` file) or increase the number of supported workers for NGINX App Protect DoS using the flag `--max-workers NUM` for `/usr/bin/adminstall`. | +| More protected objects than expected | The `app_protect_dos_enable` directive is inherited by all server and location blocks beneath it, each block will be a protected object.
Consider moving this directive from outer to inner block.
Refer to: [F5 DoS for NGINX - Directives and Policy]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md" >}}) | +| `No DOS protection for ngx_worker at idx X` warning message | There are more nginx processes than allowed.
Either decrease the number of nginx processes (ngx_processes directive in `nginx.conf` file) or increase the number of supported workers for F5 DoS for NGINX using the flag `--max-workers NUM` for `/usr/bin/adminstall`. | | `unknown directive 'app_protect_dos_xxx'` error message | App Protect DOS module is not loaded. Add this line to the main (global) context of nginx.conf:
`load_module "/etc/nginx/modules/ngx_http_app_protect_dos_module.so";` | | NGINX struggles handling a high rate of incoming connections | Linux machine should be tuned for optimal performance.
Refer to [Tuning NGINX for Performance](https://www.nginx.com/blog/tuning-nginx/) | | Error in `adminstall` process, such as `Failed to allocate` | Insufficient memory to allocate all the required resources.
Increase the `--memory` size or decrease the number of nginx workers (`--max_workers`) if not all of them are going to be in use.
Use the `--help` flag for more info. | @@ -35,11 +35,11 @@ This Troubleshooting Guide is intended to provide guidance to customers in the d ### ELK issues -ELK issues are addressed directly in GitHub by posting the issue to Kibana dashboards for [NGINX App Protect DoS GitHub repo](https://github.com/f5devcentral/nap-dos-elk-dashboards). +ELK issues are addressed directly in GitHub by posting the issue to Kibana dashboards for [F5 DoS for NGINX GitHub repo](https://github.com/f5devcentral/nap-dos-elk-dashboards). ### SELinux -Configure SELinux to allow NGINX App Protect DoS. +Configure SELinux to allow F5 DoS for NGINX. The configuration steps are found in the [SELinux configuration]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md#selinux-configuration" >}}) section of the deployment guide. @@ -79,7 +79,7 @@ If there are any problems, collect the troubleshooting information in a tarball 1. Get package version: - a. Get NGINX App Protect DoS version:
+ a. Get F5 DoS for NGINX version:
```shell /usr/bin/admd -v > package_versions.txt @@ -103,7 +103,7 @@ If there are any problems, collect the troubleshooting information in a tarball cat /etc/os-release > system_version.txt && uname -r >> system_version.txt && cat /proc/version >> system_version.txt ``` - d. Get NGINX App Protect DoS shared memory dump:
+ d. Get F5 DoS for NGINX shared memory dump:
```shell admd -c > napd_shmem.txt diff --git a/content/nginx-one/_index.md b/content/nginx-one/_index.md index 0f7ccda35..99f7e201d 100644 --- a/content/nginx-one/_index.md +++ b/content/nginx-one/_index.md @@ -101,7 +101,7 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an {{< card title="NGINX App Protect WAF" titleUrl="/nginx-app-protect-waf" brandIcon="NGINX-App-Protect-WAF-product-icon.svg">}} Lightweight, high-performance, advanced protection against Layer 7 attacks on your apps and APIs. {{}} - {{< card title="NGINX App Protect DoS" titleUrl="/nginx-app-protect-dos" brandIcon="NGINX-App-Protect-DoS-product-icon.svg">}} + {{< card title="F5 DoS for NGINX" titleUrl="/nginx-app-protect-dos" brandIcon="NGINX-App-Protect-DoS-product-icon.svg">}} Defend, adapt, and mitigate against Layer 7 denial-of-service attacks on your apps and APIs. {{}} {{}} diff --git a/content/nginxaas-azure/overview/feature-comparison.md b/content/nginxaas-azure/overview/feature-comparison.md index f30da905f..4a2425464 100644 --- a/content/nginxaas-azure/overview/feature-comparison.md +++ b/content/nginxaas-azure/overview/feature-comparison.md @@ -41,7 +41,7 @@ type: |  Internal redirect | |{{}} | | |  NGINX as a SAML Service Provider | |{{}} |{{}} | |  [NGINX App Protect WAF](https://www.f5.com/products/nginx/nginx-app-protect) (additional cost) | |{{}} |{{}} | -|  [NGINX App Protect DoS](https://www.f5.com/products/nginx/nginx-app-protect) (additional cost) | |{{}} | | +|  [F5 DoS for NGINX](https://www.f5.com/products/nginx/nginx-app-protect) (additional cost) | |{{}} | | |**Monitoring** |**NGINX Open
Source** |**NGINX Plus
 ** |**NGINXaaS
for Azure** | |  Export to [external monitoring tools](https://docs.nginx.com/nginx/admin-guide/monitoring/live-activity-monitoring/) |{{}} |{{}} |Export metrics to
Azure Monitor | |  Built-in dashboard | |{{}} |[Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/overview)
and [Azure Portal](https://azure.microsoft.com/en-us/get-started/azure-portal) | diff --git a/content/nic/configuration/security.md b/content/nic/configuration/security.md index ad561cb21..676a3ad56 100644 --- a/content/nic/configuration/security.md +++ b/content/nic/configuration/security.md @@ -34,7 +34,7 @@ By default, the ServiceAccount has access to all Secret resources in the cluster ### Configure root filesystem as read-only {{< call-out "caution" >}} - This feature is compatible with [NGINX App Protect WAF v5]({{< ref "/nap-waf/v5/" >}}). It is not compatible with [NGINX App Protect WAF v4]({{< ref "/nap-waf/v4/" >}}) or [NGINX App Protect DoS]({{< ref "/nap-dos/" >}}). + This feature is compatible with [NGINX App Protect WAF v5]({{< ref "/nap-waf/v5/" >}}). It is not compatible with [NGINX App Protect WAF v4]({{< ref "/nap-waf/v4/" >}}) or [F5 DoS for NGINX]({{< ref "/nap-dos/" >}}). {{< /call-out >}} NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when NGINX App Protect WAFv5 is in use. This is so that the attack surface is further reduced by limiting changes to binaries and libraries. diff --git a/content/nic/installation/build-nginx-ingress-controller.md b/content/nic/installation/build-nginx-ingress-controller.md index b9c2b78ef..f829b308d 100644 --- a/content/nic/installation/build-nginx-ingress-controller.md +++ b/content/nic/installation/build-nginx-ingress-controller.md @@ -151,14 +151,14 @@ Key targets include: | _debian-image-plus_ | Builds a Debian-based image with NGINX Plus. | | _debian-image-nap-plus_ | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect/) module. | | _debian-image-nap-v5-plus_ | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect/) module. | -| _debian-image-dos-plus_ | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module. | -| _debian-image-nap-dos-plus_ | Builds a Debian-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect/) and [NGINX App Protect DoS](/nginx-app-protect-dos/) modules. | +| _debian-image-dos-plus_ | Builds a Debian-based image with NGINX Plus and the [F5 DoS for NGINX](/nginx-app-protect-dos/) module. | +| _debian-image-nap-dos-plus_ | Builds a Debian-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect/) and [F5 DoS for NGINX](/nginx-app-protect-dos/) modules. | | _ubi-image_ | Builds a UBI-based image with NGINX for [OpenShift](https://www.openshift.com/) clusters. | | _ubi-image-plus_ | Builds a UBI-based image with NGINX Plus for [OpenShift](https://www.openshift.com/) clusters. | | _ubi-image-nap-plus_ | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect/) module for [OpenShift](https://www.openshift.com/) clusters. | | _ubi-image-nap-v5-plus_ | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect/) module for [OpenShift](https://www.openshift.com/) clusters. | -| _ubi-image-dos-plus_ | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module for [OpenShift](https://www.openshift.com/) clusters. | -| _ubi-image-nap-dos-plus_ |

Builds a UBI-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect/) and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module for [OpenShift](https://www.openshift.com/) clusters.

**Important**: Save your RHEL organization and activation keys in a file named _rhel_license_ at the project root.

For instance:

RHEL_ORGANIZATION=1111111
RHEL_ACTIVATION_KEY=your-key
| +| _ubi-image-dos-plus_ | Builds a UBI-based image with NGINX Plus and the [F5 DoS for NGINX](/nginx-app-protect-dos/) module for [OpenShift](https://www.openshift.com/) clusters. | +| _ubi-image-nap-dos-plus_ |

Builds a UBI-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect/) and the [F5 DoS for NGINX](/nginx-app-protect-dos/) module for [OpenShift](https://www.openshift.com/) clusters.

**Important**: Save your RHEL organization and activation keys in a file named _rhel_license_ at the project root.

For instance:

RHEL_ORGANIZATION=1111111
RHEL_ACTIVATION_KEY=your-key
| {{}} --- diff --git a/content/nic/installation/installing-nic/installation-with-manifests.md b/content/nic/installation/installing-nic/installation-with-manifests.md index 8df8e0a53..eb550acb3 100644 --- a/content/nic/installation/installing-nic/installation-with-manifests.md +++ b/content/nic/installation/installing-nic/installation-with-manifests.md @@ -71,14 +71,14 @@ To use App Protect DoS, install the App Protect DoS Arbitrator using the provide ### Create optional custom resources -There are optional CRDs that are necessary if you want to use NGINX App Protect WAF or NGINX App Protect DoS. +There are optional CRDs that are necessary if you want to use NGINX App Protect WAF or F5 DoS for NGINX. **NGINX App Protect WAF**: - `APPolicy` - `APLogConf` - `APUserSig` -**NGINX App Protect DoS**: +**F5 DoS for NGINX**: - `APDosPolicy` - `APDosLogConf` - `DosProtectedResource` @@ -96,7 +96,7 @@ There are optional CRDs that are necessary if you want to use NGINX App Protect kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-waf.yaml ``` -**NGINX App Protect DoS**: +**F5 DoS for NGINX**: ```shell kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-dos.yaml @@ -116,7 +116,7 @@ kubectl apply -f config/crd/bases/appprotect.f5.com_appolicies.yaml kubectl apply -f config/crd/bases/appprotect.f5.com_apusersigs.yaml ``` -**NGINX App Protect DoS**: +**F5 DoS for NGINX**: ```shell kubectl apply -f config/crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml @@ -272,7 +272,7 @@ Connect to ports 80 and 443 using the IP address of any node in the cluster wher kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-waf.yaml ``` - 3. Delete custom resource definitions for the NGINX App Protect DoS module: + 3. Delete custom resource definitions for the F5 DoS for NGINX module: ```shell kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-dos.yaml ``` @@ -290,7 +290,7 @@ kubectl delete -f config/crd/bases/crds.yaml kubectl apply -f config/crd/bases/crds-nap-waf.yaml ``` -3. Delete custom resource definitions for the NGINX App Protect DoS module: +3. Delete custom resource definitions for the F5 DoS for NGINX module: ```shell kubectl apply -f config/crd/bases/crds-nap-dos.yaml ``` diff --git a/content/nic/installation/integrations/app-protect-dos/_index.md b/content/nic/installation/integrations/app-protect-dos/_index.md index 6f2685996..fc6c0082c 100644 --- a/content/nic/installation/integrations/app-protect-dos/_index.md +++ b/content/nic/installation/integrations/app-protect-dos/_index.md @@ -1,6 +1,6 @@ --- -title: NGINX App Protect DoS -description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect DoS. +title: F5 DoS for NGINX +description: Learn how to use NGINX Ingress Controller for Kubernetes with F5 DoS for NGINX. weight: 300 menu: docs: diff --git a/content/nic/installation/integrations/app-protect-dos/configuration.md b/content/nic/installation/integrations/app-protect-dos/configuration.md index 0b39faee8..8ce84d042 100644 --- a/content/nic/installation/integrations/app-protect-dos/configuration.md +++ b/content/nic/installation/integrations/app-protect-dos/configuration.md @@ -161,4 +161,4 @@ Then add a reference in the `DosProtectedResource` to the `APDosLogConf`: ## Global Configuration -NGINX Ingress Controller has a set of global configuration parameters that align with those available in the NGINX App Protect DoS module. See [ConfigMap keys]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#modules" >}}) for the complete list. The App Protect parameters use the `app-protect-dos*` prefix. +NGINX Ingress Controller has a set of global configuration parameters that align with those available in the F5 DoS for NGINX module. See [ConfigMap keys]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#modules" >}}) for the complete list. The App Protect parameters use the `app-protect-dos*` prefix. diff --git a/content/nic/installation/integrations/app-protect-dos/dos-protected.md b/content/nic/installation/integrations/app-protect-dos/dos-protected.md index cfb112eb3..771b84533 100644 --- a/content/nic/installation/integrations/app-protect-dos/dos-protected.md +++ b/content/nic/installation/integrations/app-protect-dos/dos-protected.md @@ -7,9 +7,9 @@ nd-product: NIC nd-docs: DOCS-581 --- -NGINX App Protect DoS protected resource specification +F5 DoS for NGINX protected resource specification -{{< call-out "note" >}} This feature is only available using the NGINX Plus [NGINX App Protect DoS Module]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). {{< /call-out >}} +{{< call-out "note" >}} This feature is only available using the NGINX Plus [F5 DoS for NGINX Module]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). {{< /call-out >}} ## DoS Protected resource specification @@ -30,12 +30,12 @@ spec: {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | -|``enable`` | Enables NGINX App Protect DoS, Default value: false. | ``bool`` | No | +|``enable`` | Enables F5 DoS for NGINX, Default value: false. | ``bool`` | No | |``name`` | Name of the protected object, max of 63 characters. | ``string`` | Yes | |``dosAccessLogDest`` | The log destination for the access log with dos log format. Accepted variables are ``:`` or ``stderr``. | ``string`` | No | |``apDosMonitor.uri`` | The destination to the desired protected object. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: None, URL will be extracted from the first request which arrives and taken from "Host" header or from destination ip+port. | ``string`` | No | |``apDosMonitor.protocol`` | Determines if the server listens on http1 / http2 / grpc / websocket. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: http1. | ``enum`` | No | -|``apDosMonitor.timeout`` | Determines how long (in seconds) should NGINX App Protect DoS wait for a response. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: 10 seconds for http1/http2 and 5 seconds for grpc. | ``int64`` | No | +|``apDosMonitor.timeout`` | Determines how long (in seconds) should F5 DoS for NGINX wait for a response. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: 10 seconds for http1/http2 and 5 seconds for grpc. | ``int64`` | No | |``apDosPolicy`` | The [App Protect DoS policy](#dosprotectedresourceapdospolicy) of the dos. Accepts an optional namespace. | ``string`` | No | |``dosSecurityLog.enable`` | Enables security log. | ``bool`` | No | |``dosSecurityLog.apDosLogConf`` | The [App Protect DoS log conf]({{< ref "/nic/installation/integrations/app-protect-dos/configuration.md#app-protect-dos-logs" >}}) resource. Accepts an optional namespace. | ``string`` | No | @@ -49,7 +49,7 @@ The `apDosPolicy` is a reference (qualified identifier in the format `namespace/ ### DosProtectedResource.apDosMonitor -This is how NGINX App Protect DoS monitors the stress level of the protected object. The monitor requests are sent from localhost (127.0.0.1). +This is how F5 DoS for NGINX monitors the stress level of the protected object. The monitor requests are sent from localhost (127.0.0.1). ### Invalid DoS Protected resources diff --git a/content/nic/installation/integrations/app-protect-dos/installation.md b/content/nic/installation/integrations/app-protect-dos/installation.md index 28c56060d..725a6075c 100644 --- a/content/nic/installation/integrations/app-protect-dos/installation.md +++ b/content/nic/installation/integrations/app-protect-dos/installation.md @@ -1,5 +1,5 @@ --- -title: Build NGINX Ingress Controller with NGINX App Protect DoS +title: Build NGINX Ingress Controller with F5 DoS for NGINX weight: 100 toc: true type: how-to @@ -7,19 +7,19 @@ product: NIC nd-docs: DOCS-583 --- -This document explains how to build an image for F5 NGINX Ingress Controller with NGINX App Protect DoS from source code. +This document explains how to build an image for F5 NGINX Ingress Controller with F5 DoS for NGINX from source code. {{}}If you'd rather not build your own NGINX Ingress Controller image, see the [pre-built image options](#pre-built-images) at the end of this guide.{{}} ## Before you start -- To use NGINX App Protect DoS with NGINX Ingress Controller, you must have NGINX Plus. +- To use F5 DoS for NGINX with NGINX Ingress Controller, you must have NGINX Plus. --- ## Prepare the environment {#prepare-environment} -Get your system ready for building and pushing the NGINX Ingress Controller image with NGINX App Protect DoS. +Get your system ready for building and pushing the NGINX Ingress Controller image with F5 DoS for NGINX. 1. Sign in to your private registry. Replace `` with the path to your own private registry. @@ -45,7 +45,7 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag ## Build the image {#build-docker-image} -Follow these steps to build the NGINX Controller Image with NGINX App Protect DoS. +Follow these steps to build the NGINX Controller Image with F5 DoS for NGINX. 1. Place your NGINX Plus license files (_nginx-repo.crt_ and _nginx-repo.key_) in the project's root folder. To verify they're in place, run: @@ -65,7 +65,7 @@ Follow these steps to build the NGINX Controller Image with NGINX App Protect Do make PREFIX=/nginx-plus-ingress TARGET=download ``` - For example, to build a Debian-based image with NGINX Plus and NGINX App Protect DoS, run: + For example, to build a Debian-based image with NGINX Plus and F5 DoS for NGINX, run: ```shell make debian-image-dos-plus PREFIX=/nginx-plus-ingress TARGET=download @@ -80,10 +80,10 @@ Follow these steps to build the NGINX Controller Image with NGINX App Protect Do {{}} | Makefile Target | Description | Compatible Systems | |---------------------------|-------------------------------------------------------------------|---------------------| -| **debian-image-dos-plus** | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module. | Debian | -| **debian-image-nap-dos-plus** | Builds a Debian-based image with NGINX Plus, [NGINX App Protect DoS](/nginx-app-protect-dos/), and [NGINX App Protect WAF](/nginx-app-protect/). | Debian | -| **ubi-image-dos-plus** | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module. | OpenShift | -| **ubi-image-nap-dos-plus** | Builds a UBI-based image with NGINX Plus, [NGINX App Protect DoS](/nginx-app-protect-dos/), and [NGINX App Protect WAF](/nginx-app-protect/). | OpenShift | +| **debian-image-dos-plus** | Builds a Debian-based image with NGINX Plus and the [F5 DoS for NGINX](/nginx-app-protect-dos/) module. | Debian | +| **debian-image-nap-dos-plus** | Builds a Debian-based image with NGINX Plus, [F5 DoS for NGINX](/nginx-app-protect-dos/), and [NGINX App Protect WAF](/nginx-app-protect/). | Debian | +| **ubi-image-dos-plus** | Builds a UBI-based image with NGINX Plus and the [F5 DoS for NGINX](/nginx-app-protect-dos/) module. | OpenShift | +| **ubi-image-nap-dos-plus** | Builds a UBI-based image with NGINX Plus, [F5 DoS for NGINX](/nginx-app-protect-dos/), and [NGINX App Protect WAF](/nginx-app-protect/). | OpenShift | {{}}
@@ -94,7 +94,7 @@ Follow these steps to build the NGINX Controller Image with NGINX App Protect Do ## Push the image to your private registry -Once you've successfully built the NGINX Ingress Controller image with NGINX App Protect DoS, the next step is to upload it to your private Docker registry. This makes the image available for deployment to your Kubernetes cluster. +Once you've successfully built the NGINX Ingress Controller image with F5 DoS for NGINX, the next step is to upload it to your private Docker registry. This makes the image available for deployment to your Kubernetes cluster. To upload the image, run the following command. If you're using a custom tag, add `TAG=your-tag` to the end of the command. Replace `` with your private registry's path. @@ -180,7 +180,7 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam ### Helm Chart -The App Protect DoS Arbitrator can be installed using the [NGINX App Protect DoS Helm Chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). +The App Protect DoS Arbitrator can be installed using the [F5 DoS for NGINX Helm Chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). If you have the NGINX Helm Repository already added, you can install the App Protect DoS Arbitrator by running the following command: ```shell @@ -206,9 +206,9 @@ Alternatively, you can install the App Protect DoS Arbitrator using the YAML man --- -## Enable NGINX App Protect DoS module +## Enable F5 DoS for NGINX module -To enable the NGINX App Protect DoS Module: +To enable the F5 DoS for NGINX Module: - Add the `enable-app-protect-dos` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect-dos" >}}) to your Deployment or DaemonSet file. diff --git a/content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md b/content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md index 323c2d53e..4d23b1a44 100644 --- a/content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md +++ b/content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot NGINX App Protect DoS +title: Troubleshoot F5 DoS for NGINX toc: true weight: 400 nd-content-type: how-to diff --git a/content/nic/installation/integrations/app-protect-waf-v5/installation.md b/content/nic/installation/integrations/app-protect-waf-v5/installation.md index 207b8bc54..18a5478c8 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/installation.md +++ b/content/nic/installation/integrations/app-protect-waf-v5/installation.md @@ -92,7 +92,7 @@ Create Docker image for NGINX Ingress Controller (Alpine with NGINX Plus, NGINX | **alpine-image-nap-v5-plus-fips** | Builds a Alpine-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect-waf/v5/) module with FIPS. | Alpine | | **debian-image-nap-v5-plus** | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect-waf/v5/) module. | Debian | | **ubi-image-nap-v5-plus** | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect-waf/v5/) module. | OpenShift | -| **ubi-image-nap-dos-v5-plus** | Builds a UBI-based image with NGINX Plus, [NGINX App Protect WAF v5](/nginx-app-protect-waf/v5/), and [NGINX App Protect DoS](/nginx-app-protect-dos/). | OpenShift | +| **ubi-image-nap-dos-v5-plus** | Builds a UBI-based image with NGINX Plus, [NGINX App Protect WAF v5](/nginx-app-protect-waf/v5/), and [F5 DoS for NGINX](/nginx-app-protect-dos/). | OpenShift | {{}}
@@ -479,7 +479,7 @@ Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `t ### Enable NGINX App Protect WAF module -To enable the NGINX App Protect DoS Module: +To enable the F5 DoS for NGINX Module: - Add the `enable-app-protect` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file. diff --git a/content/nic/installation/integrations/app-protect-waf/installation.md b/content/nic/installation/integrations/app-protect-waf/installation.md index d149c3b1b..68664a214 100644 --- a/content/nic/installation/integrations/app-protect-waf/installation.md +++ b/content/nic/installation/integrations/app-protect-waf/installation.md @@ -56,7 +56,7 @@ Follow these steps to build the NGINX Controller Image with NGINX App Protect WA make PREFIX=/nginx-plus-ingress TARGET=download ``` - For example, to build a Debian-based image with NGINX Plus and NGINX App Protect DoS, run: + For example, to build a Debian-based image with NGINX Plus and F5 DoS for NGINX, run: ```shell make debian-image-dos-plus PREFIX=/nginx-plus-ingress TARGET=download @@ -72,9 +72,9 @@ Follow these steps to build the NGINX Controller Image with NGINX App Protect WA | Makefile Target | Description | Compatible Systems | |---------------------------|-------------------------------------------------------------------|---------------------| | **debian-image-nap-plus** | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect-waf/) module. | Debian | -| **debian-image-nap-dos-plus** | Builds a Debian-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect-waf/), and [NGINX App Protect DoS](/nginx-app-protect-dos/) | Debian | +| **debian-image-nap-dos-plus** | Builds a Debian-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect-waf/), and [F5 DoS for NGINX](/nginx-app-protect-dos/) | Debian | | **ubi-image-nap-plus** | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect-waf/) module. | OpenShift | -| **ubi-image-nap-dos-plus** | Builds a UBNI-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect-waf/), and [NGINX App Protect DoS](/nginx-app-protect-dos/). | OpenShift | +| **ubi-image-nap-dos-plus** | Builds a UBNI-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect-waf/), and [F5 DoS for NGINX](/nginx-app-protect-dos/). | OpenShift | {{}}
@@ -199,7 +199,7 @@ volumeMounts: ## Enable NGINX App Protect WAF module -To enable the NGINX App Protect DoS Module: +To enable the F5 DoS for NGINX Module: - Add the `enable-app-protect` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file. diff --git a/content/nic/installation/nic-images/registry-download.md b/content/nic/installation/nic-images/registry-download.md index c37c00e05..5cc20429b 100644 --- a/content/nic/installation/nic-images/registry-download.md +++ b/content/nic/installation/nic-images/registry-download.md @@ -9,7 +9,7 @@ nd-docs: DOCS-605 This page describes how to download an F5 NGINX Plus Ingress Controller image from the official F5 Docker registry. -The F5 Registry images include versions with NGINX App Protect WAF and NGINX App Protect DoS. +The F5 Registry images include versions with NGINX App Protect WAF and F5 DoS for NGINX. ## Before you begin @@ -65,13 +65,13 @@ Replace `` with the specific version you need, for example, `{{< ni docker pull private-registry.nginx.com/nap/waf-enforcer: ``` -- For NGINX Plus Ingress Controller with NGINX App Protect DoS, run: +- For NGINX Plus Ingress Controller with F5 DoS for NGINX, run: ```shell docker pull private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress: ``` -- For NGINX Plus Ingress Controller with NGINX App Protect WAF and NGINX App Protect DoS, run: +- For NGINX Plus Ingress Controller with NGINX App Protect WAF and F5 DoS for NGINX, run: ```shell docker pull private-registry.nginx.com/nginx-ic-nap-dos/nginx-plus-ingress: @@ -166,7 +166,7 @@ After pulling the image, tag it and upload it to your private registry. docker push /nap/waf-enforcer: ``` - - For NGINX Controller with NGINX App Protect DoS, run: + - For NGINX Controller with F5 DoS for NGINX, run: ```shell docker tag private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress: /nginx-ic-dos/nginx-plus-ingress: diff --git a/content/nic/logging-and-monitoring/status-page.md b/content/nic/logging-and-monitoring/status-page.md index 8d7c42983..4cfda9d50 100644 --- a/content/nic/logging-and-monitoring/status-page.md +++ b/content/nic/logging-and-monitoring/status-page.md @@ -13,7 +13,7 @@ NGINX comes with a status page that reports basic metrics about NGINX called the NGINX Plus comes with a [dashboard]({{< ref "/nginx/admin-guide/monitoring/live-activity-monitoring.md" >}}) that reports key load-balancing and performance metrics. -NGINX App Protect DoS comes with a [dashboard]({{< ref "/nap-dos/monitoring/live-activity-monitoring.md" >}}) that shows the status and information of the protected objects. +F5 DoS for NGINX comes with a [dashboard]({{< ref "/nap-dos/monitoring/live-activity-monitoring.md" >}}) that shows the status and information of the protected objects. This doc shows how to get access to the stub status/dashboard. ## Accessing Stub Status diff --git a/content/nic/releases.md b/content/nic/releases.md index c84783b58..3b30b224a 100644 --- a/content/nic/releases.md +++ b/content/nic/releases.md @@ -1121,7 +1121,7 @@ We will provide technical support for NGINX Ingress Controller on any Kubernetes - Update NGINX Plus version to R28. - Update NGINX App Protect WAF version to 4.0. -- Update NGINX App Protect DoS version to 3.1. +- Update F5 DoS for NGINX version to 3.1. ### Upgrade @@ -1456,7 +1456,7 @@ We will provide technical support for NGINX Ingress Controller on any Kubernetes ### Overview -- Support for NGINX App Protect Denial of Service protection with NGINX Ingress Controller. More information about [NGINX App Protect DoS](https://www.nginx.com/products/nginx-app-protect/denial-of-service/). Examples for configuring NGINX App Protect DoS with NGINX Ingress Controller can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.1.1/examples/appprotect-dos). +- Support for NGINX App Protect Denial of Service protection with NGINX Ingress Controller. More information about [F5 DoS for NGINX](https://www.nginx.com/products/nginx-app-protect/denial-of-service/). Examples for configuring F5 DoS for NGINX with NGINX Ingress Controller can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.1.1/examples/appprotect-dos). - Full support for gRPC services using the NGINX Ingress Controller [VirtualServer and VirtualServerRoute]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md" >}}) custom resource definitions. This makes configuring and supporting gRPC services much easier, giving a simple YAML configuration and removing the need for snippets. Resource definition examples for gRPC can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.1.1/examples/custom-resources/grpc-upstreams). @@ -1468,7 +1468,7 @@ More about the [NGINX Plus mandatory and persistent health check features]({{< r ### Features - [2251](https://github.com/nginx/kubernetes-ingress/pull/2251) Enable setting mandatory and persistent in upstream healthchecks in VS and VSR. -- [2241](https://github.com/nginx/kubernetes-ingress/pull/2241) Add support for NGINX App Protect DoS. +- [2241](https://github.com/nginx/kubernetes-ingress/pull/2241) Add support for F5 DoS for NGINX. - [2200](https://github.com/nginx/kubernetes-ingress/pull/2200) Add Alpine image with OpenTracing. - [2178](https://github.com/nginx/kubernetes-ingress/pull/2178) Support healthchecks in gRPC upstreams. - [2110](https://github.com/nginx/kubernetes-ingress/pull/2110) Support gRPC in the Upstreams of the virtual server resources. Particular thanks to [Chiyu Zhong](https://github.com/CatTail) for all their work. diff --git a/content/nic/technical-specifications.md b/content/nic/technical-specifications.md index b493ac7e3..fa9f9f08b 100644 --- a/content/nic/technical-specifications.md +++ b/content/nic/technical-specifications.md @@ -74,12 +74,12 @@ NGINX Plus images are available through the F5 Container registry `private-regis |Debian-based image | ``debian:12-slim`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 | |Debian-based image with NGINX App Protect WAF | ``debian:12-slim`` | NGINX App Protect WAF
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 | |Debian-based image with NGINX App Protect WAF v5 | ``debian:12-slim`` | NGINX App Protect WAF v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -|Debian-based image with NGINX App Protect DoS | ``debian:12-slim`` | NGINX App Protect DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +|Debian-based image with F5 DoS for NGINX | ``debian:12-slim`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | |Debian-based image with NGINX App Protect WAF and DoS | ``debian:12-slim`` | NGINX App Protect WAF and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | |Ubi-based image | ``redhat/ubi9-minimal`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-ubi` | arm64
amd64 | |Ubi-based image with NGINX App Protect WAF | ``redhat/ubi9`` | NGINX App Protect WAF
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | |Ubi-based image with NGINX App Protect WAF v5 | ``redhat/ubi9`` | NGINX App Protect WAF v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +|Ubi-based image with F5 DoS for NGINX | ``redhat/ubi8`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | |Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | {{% /bootstrap-table %}} diff --git a/content/nim/_index.md b/content/nim/_index.md index c46d14a2e..74cbc7561 100644 --- a/content/nim/_index.md +++ b/content/nim/_index.md @@ -110,7 +110,7 @@ NGINX Instance Manager is part of NGINX One, which includes [NGINX One component {{< card title="NGINX App Protect WAF" titleUrl="/nginx-app-protect-waf" brandIcon="NGINX-App-Protect-WAF-product-icon.png">}} Lightweight, high-performance, advanced protection against Layer 7 attacks on your apps and APIs. {{}} - {{< card title="NGINX App Protect DoS" titleUrl="/nginx-app-protect-dos" brandIcon="NGINX-App-Protect-DoS-product-icon.png">}} + {{< card title="F5 DoS for NGINX" titleUrl="/nginx-app-protect-dos" brandIcon="NGINX-App-Protect-DoS-product-icon.png">}} Defend, adapt, and mitigate against Layer 7 denial-of-service attacks on your apps and APIs. {{}} {{}} diff --git a/content/solutions/about-subscription-licenses.md b/content/solutions/about-subscription-licenses.md index 8aba61588..0faf57e5b 100644 --- a/content/solutions/about-subscription-licenses.md +++ b/content/solutions/about-subscription-licenses.md @@ -207,9 +207,9 @@ For details on installing or upgrading NGINX App Protect WAF, visit the guide fo - [NGINX App Protect WAF v4 installation guide]({{< ref "/nap-waf/v4/admin-guide/install.md" >}}) - [NGINX App Protect WAF v5 installation guide]({{< ref "/nap-waf/v5/admin-guide/install.md" >}}) -### NGINX App Protect DoS +### F5 DoS for NGINX -For detailed instructions on installing or upgrading NGINX App Protect DoS, visit the [NGINX App Protect DoS installation guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). +For detailed instructions on installing or upgrading F5 DoS for NGINX, visit the [F5 DoS for NGINX installation guide]({{< ref "/nap-dos/deployment-guide/learn-about-deployment.md" >}}). ## Watch instructional videos diff --git a/content/waf/_index.md b/content/waf/_index.md new file mode 100644 index 000000000..36f6fdaf2 --- /dev/null +++ b/content/waf/_index.md @@ -0,0 +1,39 @@ +--- +# The title is the product name +title: "F5 WAF for NGINX" +# The URL is the base of the deployed path, becoming "docs.nginx.com//" +url: /waf/ +# The cascade directive applies its nested parameters down the page tree until overwritten +cascade: + # The logo file is resolved from the theme, in the folder /static/images/icons/ + logo: NGINX-App-Protect-WAF-product-icon.svg +# The subtitle displays directly underneath the heading of a given page +nd-subtitle: A lightweight, high-performance web application firewall for protecting APIs and applications +# Indicates that this is a custom landing page +nd-landing-page: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: landing-page +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +## About + +Defend your applications and APIs with a software security solution that seamlessly integrates into DevOps environments as a lightweight web application firewall (WAF), layer 7 denial-of-service (DoS) protection, bot protection, API security, and threat intelligence services. + +## Featured content + +{{}} + {{}} + {{}} + Learn about how F5 WAF for NGINX works and how it can be used to protect your applications + {{}} + {{}} + Explore the methods available to deploy F5 WAF for NGINX in your environment + {{}} + {{}} + Review the latest changes and improvements to F5 WAF for NGINX + {{}} + {{}} +{{}} diff --git a/content/waf/changelog.md b/content/waf/changelog.md new file mode 100644 index 000000000..e8ffa95de --- /dev/null +++ b/content/waf/changelog.md @@ -0,0 +1,159 @@ +--- +# We use sentence case and present imperative tone +title: "Changelog" +# Weights are assigned in increments of 100: determines sorting order +weight: 800 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a single reference point for changes between each release. "Changelog" is the term being adopted across the entire NGINX product ecosystem. + +Since both versions of NGINX App Protect WAF are released at the same time, they can be stored in the same note. Change items for only one specific version are explicitly annotated when necessary. + +Updating the content of this page will likely be automated in the future, following some procedural changes to how tickets are managed within JIRA. + +{{}} + +This changelog lists all of the information for F5 WAF for NGINX releases in 2025. + +For older releases, check the changelogs for previous years: [2024](), [2023](). + +## NGINX App Protect WAF 5.7 / 4.15 + +### New features + +- Added support for Rocky Linux 9 +- Added support for IP Intelligence +- Added support for Override rules for IP Address Lists + +### Important notes + +- Ubuntu 20.04 is no longer supported +- (12447) Upgrade libk5crypto3 package +- (12520) Upgrade Go compiler to 1.23.8 + +### Resolved issues + +- (12527) Remove CPAN - installed certs and source files +- (11112) Remove systemd/init.d leftovers in NAP WAF v5 pkgs +- (12400) Cookie attributes are not added to a TS cookie when there is more than one TS cookie +- (12498) Undefined behavior when using huge XFF +- (12731) Multiple clean_resp_reset internal error messages in logs when loading NAP + +### 5.7 packages + +#### NGINX Open Source + +| Distribution name | Package file | +|--------------------------|-------------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.442.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.442.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.442.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.442.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.442.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.442.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.27.4+5.442.0-1.el9.ngx.x86_64.rpm_ | + +#### NGINX Plus + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-plus-34+5.442.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-plus-34+5.442.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-plus_34+5.442.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-plus_34+5.442.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 22.04 | _app-protect-module-plus_34+5.442.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-plus_34+5.442.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 and Rocky Linux 9 | _app-protect-module-plus-34+5.442.0-1.el9.ngx.x86_64.rpm_ | + +### 4.15 packages + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------| +| Alpine 3.19 | _app-protect-34.5.442.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-34+5.442.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect_34+5.442.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect_34+5.442.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 22.04 | _app-protect_34+5.442.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect_34+5.442.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 and Rocky Linux 9 | _app-protect-34+5.442.0-1.el9.ngx.x86_64.rpm_ | + +## NGINX App Protect WAF 5.6 / 4.14 + +### New features + +- Added support for NGINX Plus R34 +- **5.6 Only:** You can now [deploy NGINX App Protect WAF 5+ using a Helm chart]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md">}}) + +### Important notes + +- Alpine 3.17 is no longer supported + +### Resolved issues + +- Upgraded the Go compiler to 1.23.7 +- (12140) Changed the maximum memory of the XML processing engine to 8GB +- (12254) A modified YAML file referenced by a JSON policy file causes a reload error when running `nginx -t` +- (12296) "Violation Bad Unescape" is not enabled by default +- (12297) "Violation Encoding" is not enabled by default + +### 5.6 packages + +#### NGINX Open Source + +| Distribution name | Package file | +|--------------------------|-------------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | + +#### NGINX Plus + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-plus-34+5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | + +### 4.14 packages + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------| +| Alpine 3.19 | _app-protect-34.5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_ | \ No newline at end of file diff --git a/content/waf/features/_index.md b/content/waf/features/_index.md new file mode 100644 index 000000000..05cb5a884 --- /dev/null +++ b/content/waf/features/_index.md @@ -0,0 +1,6 @@ +--- +title: "Features" +url: /app-protect-waf/features/ +weight: 700 +draft: true +--- \ No newline at end of file diff --git a/content/waf/fundamentals/_index.md b/content/waf/fundamentals/_index.md new file mode 100644 index 000000000..ed0e1f6a7 --- /dev/null +++ b/content/waf/fundamentals/_index.md @@ -0,0 +1,5 @@ +--- +title: "Fundamentals" +url: /app-protect-waf/fundamentals/ +weight: 100 +--- \ No newline at end of file diff --git a/content/waf/fundamentals/overview.md b/content/waf/fundamentals/overview.md new file mode 100644 index 000000000..c0839cae4 --- /dev/null +++ b/content/waf/fundamentals/overview.md @@ -0,0 +1,38 @@ +--- +# We use sentence case and present imperative tone +title: "Overview" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to describing what NGINX App Protect is, expanding on the detail from the [landing page]({{< ref "/waf/" >}}). + +It is also an opportunity to explain the difference between NGINX App Protect versions, and how integrates with other products in the NGINX ecosystem. + +The text here will likely be synthesized from the Overview descriptions at the top of the [Administration Guides]({{< ref "/nap-waf/v4/admin-guide/install.md#overview" >}}), but there's also detail from [F5.com](https://www.f5.com/products/nginx/nginx-app-protect) that can be added. + +{{< /call-out >}} + +[F5 WAF for NGINX](https://www.f5.com/products/nginx/nginx-app-protect) is an advanced, lightweight and high-performance web application firewall (WAF) for applications and APIs. + +It provides protection for the OWASP Top 10, with additional functionality: + +- HTTP response inspection and protocol compliance +- Data schema validation (JSON & XML) +- Meta character checking +- Disallowing file types + +For more details, see the [Supported security policy features]({{< ref "/waf/fundamentals/technical-specifications.md#supported-security-policy-features">}}). + +F5 WAF for NGINX is part of the [NGINX One](https://www.f5.com/products/nginx/one) premium packages and runs natively on [NGINX Plus](https://www.f5.com/products/nginx/nginx-plus) and [NGINX Ingress Controller](https://www.f5.com/products/nginx/nginx-ingress-controller). + +It is platform-agnostic and supports deployment options ranging from edge load balancers to individual pods in Kubernetes clusters. diff --git a/content/waf/fundamentals/technical-specifications.md b/content/waf/fundamentals/technical-specifications.md new file mode 100644 index 000000000..97e2abbc7 --- /dev/null +++ b/content/waf/fundamentals/technical-specifications.md @@ -0,0 +1,83 @@ +--- +# We use sentence case and present imperative tone +title: "Technical specifications" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a single source of truth for supported operating systems and version compatibility. + +It follows a design pattern set by other NGINX product sets, showing various compatibility matrices: + +- [NGINX Plus]({{< ref "/nginx/technical-specs.md" >}}) +- [NGINX Instance Manager]({{< ref "/nim/fundamentals/tech-specs.md" >}}) +- [NGINX Ingress Controller]({{< ref "/nic/technical-specifications.md" >}}) + +It is also where information about the [Supported Security Policy Features]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#supported-security-policy-features" >}}) could be referenced, though most of that detail will instead be kept in the new top-level "Policies" section. + +{{}} + +This page outlines the technical specifications for F5 WAF for NGINX, which includes the minimum requirements and supported platforms. + +## Supported deployment environments + +You can deploy F5 WAF for NGINX in the following environments: + +- **Virtual environment** (or bare metal) +- **Container** (Docker) +- **Kubernetes** + +View the [Install section]({{< ref "/waf/install/" >}}) for information on deploying F5 WAF for NGINX. + +## Supported operating systems + +| Distribution | Version | +| ------------------ | ------------ | +| Alpine Linux | 3.19 | +| Amazon Linux | 2023 | +| Debian | 11, 12 | +| Oracle Linux | 8.1 | +| Ubuntu | 22.04, 24.04 | +| RHEL / Rocky Linux | 8, 9 | + +For release-specific packages, view the [Changelog]({{< ref "/waf/changelog.md" >}}). + + +### Package dependencies + +The F5 WAF for NGINX package has the following dependencies: + +| Module name | Description | +| ------------------------------------------ | ----------- | +| nginx-plus-module-appprotect | NGINX Plus dynamic module for F5 WAF for NGINX | +| app-protect-engine | The F5 WAF for NGINX enforcement engine | +| app-protect-plugin | The F5 WAF for NGINX connector API between the engine and the NGINX Plus dynamic module | +| app-protect-compiler | The F5 WAF for NGINX enforcement engine compiler agent | +| app-protect-common | The F5 WAF for NGINX shared libraries package | +| app-protect-geoip | The F5 WAF for NGINX geolocation update package | +| app-protect-graphql | The F5 WAF for NGINX shared library package for GraphQL protection | +| app-protect-attack-signatures | The F5 WAF for NGINX attack signatures update package | +| app-protect-threat-campaigns | The F5 WAF for NGINX threat campaigns update package | +| app-protect-bot-signatures | The F5 WAF for NGINX bot signatures update package | +| app-protect-selinux (**1**) | The prebuilt SELinux policy module for F5 WAF for NGINX | +| app-protect-ip-intelligence (**1**, **2**) | Necessary for the IP intelligence feature | + +1. _Optional dependencies_ +2. _This package needs to be installed separately, and includes a client for downloading and updating the feature's database_ + +## Supported security policy features + +The following security policy features are available with F5 WAF for NGINX. + +The names link to additional information in the [Configure policies]({{< ref "/waf/policies/configuration.md" >}}) topic. + +{{< include "waf/supported-policy-features.md" >}} \ No newline at end of file diff --git a/content/waf/fundamentals/terminology.md b/content/waf/fundamentals/terminology.md new file mode 100644 index 000000000..3e54e1af8 --- /dev/null +++ b/content/waf/fundamentals/terminology.md @@ -0,0 +1,46 @@ +--- +# We use sentence case and present imperative tone +title: "Terminology" +# Weights are assigned in increments of 100: determines sorting order +weight: 300 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +This page defines terminology used when describing functionality of F5 WAF for NGINX. + +It assumes you are familiar with various layer 7 (L7) hypertext transfer protocol (HTTP) concepts such as: + +- Uniform Resource Identifier (URI) +- Uniform Resource Location (URL) +- HTTP methods and status codes +- HTTP headings, requests, responses, and parameters +- Cookies + +## Terms and definitions + +|Term | Definition | +| ---| --- | +| Alarm | If selected, the F5 WAF for NGINX system records requests that trigger the violation in the remote log (depending on the settings of the logging profile). | +| Attack signature | Textual patterns which can be applied to HTTP requests and/or responses by F5 WAF for NGINX to determine if traffic is malicious. For example, the string `